From patchwork Tue Mar 3 04:58:52 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 5919931 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 7D310BF440 for ; Tue, 3 Mar 2015 05:07:59 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B86552026F for ; Tue, 3 Mar 2015 05:07:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D7F8B20263 for ; Tue, 3 Mar 2015 05:07:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751535AbbCCFHp (ORCPT ); Tue, 3 Mar 2015 00:07:45 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:42318 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750819AbbCCFHo (ORCPT ); Tue, 3 Mar 2015 00:07:44 -0500 X-Greylist: delayed 504 seconds by postgrey-1.27 at vger.kernel.org; Tue, 03 Mar 2015 00:07:44 EST Received: from iosakhe.SUTD.EDU.SG (unknown [202.94.70.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 9393D140000BC; Tue, 3 Mar 2015 05:59:13 +0100 (CET) From: Nicolas Iooss To: christophe.ricard@gmail.com, sameo@linux.intel.com, lauro.venancio@openbossa.org, aloisio.almeida@openbossa.org Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] NFC: st21nfca: fix st21nfca_get_iso14443_3_uid data copy Date: Tue, 3 Mar 2015 12:58:52 +0800 Message-Id: <1425358732-31752-1-git-send-email-nicolas.iooss_linux@m4x.org> X-Mailer: git-send-email 2.3.1 In-Reply-To: <54F17F43.7060605@m4x.org> References: <54F17F43.7060605@m4x.org> X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Tue Mar 3 05:59:18 2015 +0100 (CET)) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP st21nfca_get_iso14443_3_uid() does not correctly copy the uid from uid_skb->data to its gate parameter. "gate = uid_skb->data;" only puts a pointer to uid_skb->data to the local variable gate. This means that in st21nfca_hci_target_from_gate() the content of "u8 uid[NFC_NFCID1_MAXSIZE]" local variable is never initialized before being used in memcpy(target->nfcid1, uid, len). Fix this by replacing the local variable assignment with a memcpy. This was found by compiling Linux with "gcc -Wunused-but-set-parameter". Signed-off-by: Nicolas Iooss --- As I did not get any reply from https://lkml.org/lkml/2015/2/28/25 and got confirmation by other people that this may be a real bug, I am now sending a patch to fix it. drivers/nfc/st21nfca/st21nfca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nfc/st21nfca/st21nfca.c b/drivers/nfc/st21nfca/st21nfca.c index 24d3d240d5f4..ff70d2838b29 100644 --- a/drivers/nfc/st21nfca/st21nfca.c +++ b/drivers/nfc/st21nfca/st21nfca.c @@ -588,7 +588,7 @@ static int st21nfca_get_iso14443_3_uid(struct nfc_hci_dev *hdev, u8 *gate, goto exit; } - gate = uid_skb->data; + memcpy(gate, uid_skb->data, uid_skb->len); *len = uid_skb->len; exit: kfree_skb(uid_skb);