ua-test: Check bounds for tainted integer device uid length

Integer value 'device_uid_len' is being obtained from untrusted source.
Bounds of device uid length needs to be checked before using it as a loop
bound.

Change-Id: Idcb1f9b67d099d9f3443166ae559c81c563632ad
Signed-off-by: Abhay Agarwal <ay.agarwal@samsung.com>

diff --git a/test/uat-payload.c b/test/uat-payload.c
index eaa927cab66a5f4cd47514b5bf921c596705141a..2548e9a6a49b9a7ce539ddbb97b8993b5e126980 100644 (file)
--- a/test/uat-payload.c
+++ b/test/uat-payload.c
@@ -147,6 +147,7 @@ static int _scan_payload_device_uid_str(
 
        if (strlen(g_payload_device_uid_len))
                len = (unsigned char)strtol(g_payload_device_uid_len, NULL, 10);
+       len = len < UA_BLE_PAYLOAD_DEVICE_UID_MAX_LEN ? len : UA_BLE_PAYLOAD_DEVICE_UID_MAX_LEN;
        device_uid_len = len > 0 ? len : 0;
 
        for (int i = 0; i < device_uid_len; i++) {