Fix potential out-of-bounds read by up to 2 bytes during TLV parsing

LedgerHQ · Nov 27, 2024 · 51bc8b2 · 51bc8b2
1 parent 1a373e6
commit 51bc8b2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src_features/provideDynamicNetwork/network_dynamic.c b/src_features/provideDynamicNetwork/network_dynamic.c
@@ -493,6 +493,10 @@ static uint16_t parse_tlv(const uint8_t *data, uint8_t length) {
     cx_sha256_init(&sig_ctx.hash_ctx);
     // handle TLV payload
     while (offset != length) {
+        if ((offset + 2) > length) {
+            sw = APDU_RESPONSE_INVALID_DATA;
+            break;
+        }
         tag_start_off = offset;
         field_tag = data[offset++];
         field_len = data[offset++];