ports/security/wpa_supplicant/files/patch-src_wps_ndef.c
John Marino d856fd137b security/wpa_supplicant: Address security issue (2015-5)
There was a vulnerability to the WPS_NFC option which is off by default.
The port is being bumped anyway since people using that option will want
the latest version.

PR:		201432
Submitted by:	Jason Unovitch
2015-07-12 11:22:10 +00:00

21 lines
577 B
C

--- src/wps/ndef.c.orig 2015-03-15 17:30:39 UTC
+++ src/wps/ndef.c
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
if (size < 6)
return -1;
record->payload_length = ntohl(*(u32 *)pos);
+ if (record->payload_length > size - 6)
+ return -1;
pos += sizeof(u32);
}
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
pos += record->payload_length;
record->total_length = pos - data;
- if (record->total_length > size)
+ if (record->total_length > size ||
+ record->total_length < record->payload_length)
return -1;
return 0;
}