ndef: Fix offset check when parsing NDEF records

For each record header entry we need to check that the offest and the
payload length is not longer than the total record length.

diff --git a/src/ndef.c b/src/ndef.c
index 0ea348e..4c46265 100644 (file)
--- a/src/ndef.c
+++ b/src/ndef.c
@@ -916,7 +916,7 @@ static struct near_ndef_record_header *parse_record_header(uint8_t *rec,
                offset += 4;
                header_len += 4;
 
-               if (offset >= length)
+               if ((offset + rec_header->payload_len) > length)
                        goto fail;
        }
 
@@ -926,7 +926,7 @@ static struct near_ndef_record_header *parse_record_header(uint8_t *rec,
                rec_header->il_length = rec[offset++];
                header_len++;
 
-               if (offset >= length)
+               if ((offset + rec_header->payload_len) > length)
                        goto fail;
        }
 
@@ -942,7 +942,7 @@ static struct near_ndef_record_header *parse_record_header(uint8_t *rec,
                offset += rec_header->type_len;
                header_len += rec_header->type_len;
 
-               if (offset >= length)
+               if ((offset + rec_header->payload_len) > length)
                        goto fail;
        }
 
@@ -959,13 +959,10 @@ static struct near_ndef_record_header *parse_record_header(uint8_t *rec,
                offset += rec_header->il_length;
                header_len += rec_header->il_length;
 
-               if (offset >= length)
+               if ((offset + rec_header->payload_len) > length)
                        goto fail;
        }
 
-       if ((offset + rec_header->payload_len) > length)
-               goto fail;
-
        rec_header->rec_type = get_record_type(rec_header->tnf, type,
                                                        rec_header->type_len);
        rec_header->offset = offset;