WPS: Check NDEF record length fields separately
Try to make the bounds checking easier for static analyzers by checking each length field separately in addition to checking them all in the end against the total buffer length. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
cd0e8653a2
commit
30403e9657
1 changed files with 6 additions and 0 deletions
|
@ -63,12 +63,18 @@ static int ndef_parse_record(const u8 *data, u32 size,
|
||||||
} else
|
} else
|
||||||
record->id_length = 0;
|
record->id_length = 0;
|
||||||
|
|
||||||
|
if (record->type_length > data + size - pos)
|
||||||
|
return -1;
|
||||||
record->type = record->type_length == 0 ? NULL : pos;
|
record->type = record->type_length == 0 ? NULL : pos;
|
||||||
pos += record->type_length;
|
pos += record->type_length;
|
||||||
|
|
||||||
|
if (record->id_length > data + size - pos)
|
||||||
|
return -1;
|
||||||
record->id = record->id_length == 0 ? NULL : pos;
|
record->id = record->id_length == 0 ? NULL : pos;
|
||||||
pos += record->id_length;
|
pos += record->id_length;
|
||||||
|
|
||||||
|
if (record->payload_length > (size_t) (data + size - pos))
|
||||||
|
return -1;
|
||||||
record->payload = record->payload_length == 0 ? NULL : pos;
|
record->payload = record->payload_length == 0 ? NULL : pos;
|
||||||
pos += record->payload_length;
|
pos += record->payload_length;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue