Attachment #158552 for bug #201432

Lines 2-8 Link Here

(-)Makefile (-1 / +1 lines)
2		2
3	PORTNAME= wpa_supplicant	3	PORTNAME= wpa_supplicant
4	PORTVERSION= 2.4	4	PORTVERSION= 2.4
5	PORTREVISION= 3	5	PORTREVISION= 4
6	CATEGORIES= security net	6	CATEGORIES= security net
7	MASTER_SITES= http://w1.fi/releases/	7	MASTER_SITES= http://w1.fi/releases/
8		8




--- src/wps/ndef.c.orig	2015-03-15 17:30:39 UTC
+++ src/wps/ndef.c
@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
 		if (size < 6)
 			return -1;
 		record->payload_length = ntohl(*(u32 *)pos);
+		if (record->payload_length > size - 6)
+			return -1;
 		pos += sizeof(u32);
 	}
 
@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
 	pos += record->payload_length;
 
 	record->total_length = pos - data;
-	if (record->total_length > size)
+	if (record->total_length > size ||
+	    record->total_length < record->payload_length)
 		return -1;
 	return 0;
 }

Return to bug 201432

Line 0 Link Here

(-)files/patch-src_wps_ndef.c (+21 lines)
	1	--- src/wps/ndef.c.orig 2015-03-15 17:30:39 UTC
	2	+++ src/wps/ndef.c
	3	@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *d
	4	if (size < 6)
	5	return -1;
	6	record->payload_length = ntohl((u32 )pos);
	7	+ if (record->payload_length > size - 6)
	8	+ return -1;
	9	pos += sizeof(u32);
	10	}
	11
	12	@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *d
	13	pos += record->payload_length;
	14
	15	record->total_length = pos - data;
	16	- if (record->total_length > size)
	17	+ if (record->total_length > size \|\|
	18	+ record->total_length < record->payload_length)
	19	return -1;
	20	return 0;
	21	}