diff options
author | Suren Baghdasaryan <surenb@google.com> | 2018-05-04 00:08:53 +0530 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2018-06-08 22:37:12 -0400 |
commit | 48badd41fbfd803331dc8796cbb12b826a6446b9 (patch) | |
tree | 1b3f8a9107e8df97947b92ff8203b11ab5f3d354 | |
parent | c99f996b2ba49572d228075a5517455b8ecf6585 (diff) | |
download | nfc-next-48badd41fbfd803331dc8796cbb12b826a6446b9.tar.gz |
NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ
Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.
cc: Stable <stable@vger.kernel.org>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-rw-r--r-- | drivers/nfc/st21nfca/dep.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2917e60..3420c5104c943 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; } |