diff options
| -rw-r--r-- | src/wps/ndef.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/wps/ndef.c b/src/wps/ndef.c index 96685d2b..99170a7b 100644 --- a/src/wps/ndef.c +++ b/src/wps/ndef.c @@ -47,6 +47,8 @@ static int ndef_parse_record(const u8 *data, u32 size, if (size < 6) return -1; record->payload_length = ntohl(*(u32 *)pos); + if (record->payload_length > size - 6) + return -1; pos += sizeof(u32); } @@ -67,7 +69,8 @@ static int ndef_parse_record(const u8 *data, u32 size, pos += record->payload_length; record->total_length = pos - data; - if (record->total_length > size) + if (record->total_length > size || + record->total_length < record->payload_length) return -1; return 0; } |