NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. cc: Stable <stable@vger.kernel.org> Signed-off-by: Suren Baghdasaryan <surenb@google.com> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
author: Suren Baghdasaryan <surenb@google.com> 2018-05-04 00:08:53 +0530
committer: Samuel Ortiz <sameo@linux.intel.com> 2018-06-08 22:37:12 -0400
commit: 48badd41fbfd803331dc8796cbb12b826a6446b9 (patch)
tree: 1b3f8a9107e8df97947b92ff8203b11ab5f3d354
parent: c99f996b2ba49572d228075a5517455b8ecf6585 (diff)
download: nfc-next-48badd41fbfd803331dc8796cbb12b826a6446b9.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
index fd08be2917e60..3420c5104c943 100644
--- a/drivers/nfc/st21nfca/dep.c
+++ b/drivers/nfc/st21nfca/dep.c
@@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
-	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+	if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
+	    atr_req->length > skb->len) {
 		r = -EPROTO;
 		goto exit;
 	}
author	Suren Baghdasaryan <surenb@google.com>	2018-05-04 00:08:53 +0530
committer	Samuel Ortiz <sameo@linux.intel.com>	2018-06-08 22:37:12 -0400
commit	48badd41fbfd803331dc8796cbb12b826a6446b9 (patch)
tree	1b3f8a9107e8df97947b92ff8203b11ab5f3d354
parent	c99f996b2ba49572d228075a5517455b8ecf6585 (diff)
download	nfc-next-48badd41fbfd803331dc8796cbb12b826a6446b9.tar.gz