Merge pull request #676 from LedgerHQ/fix/apa/dynamic_networks_tlv_pa…

…rser_oob Fix potential out-of-bounds read by up to 2 bytes during TLV parsing
LedgerHQ · Nov 27, 2024 · 81cb59a · 81cb59a
2 parents 1a373e6 + 51bc8b2
commit 81cb59a
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src_features/provideDynamicNetwork/network_dynamic.c b/src_features/provideDynamicNetwork/network_dynamic.c
@@ -493,6 +493,10 @@ static uint16_t parse_tlv(const uint8_t *data, uint8_t length) {
     cx_sha256_init(&sig_ctx.hash_ctx);
     // handle TLV payload
     while (offset != length) {
+        if ((offset + 2) > length) {
+            sw = APDU_RESPONSE_INVALID_DATA;
+            break;
+        }
         tag_start_off = offset;
         field_tag = data[offset++];
         field_len = data[offset++];