| Message ID | 1524045904-7005-5-git-send-email-amit.pundir@linaro.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Samuel Ortiz |
| Headers | show |
On Wed, 2018-04-18 at 15:35 +0530, Amit Pundir wrote: > + if (phy->next_read_size > > FDP_NCI_I2C_MAX_PAYLOAD) { > + dev_dbg(&client->dev, "%s: corrupted > packet\n", > + __func__); If Android people would follow the kernel in reasonable time they may have noticed Dynamic Debug functionality and how it works. In this case the __func__ is superfluous. > + phy->next_read_size = 5; > + goto flush; > + } > } else { > phy->next_read_size = > FDP_NCI_I2C_MIN_PAYLOAD; >
On Wed, Apr 18, 2018 at 03:35:04PM +0530, Amit Pundir wrote: > From: Suren Baghdasaryan <surenb@google.com> > > Possible buffer overflow when reading next_read_size bytes into > tmp buffer after next_read_size was extracted from a previous packet. > > Signed-off-by: Suren Baghdasaryan <surenb@google.com> > Signed-off-by: Amit Pundir <amit.pundir@linaro.org> > --- > drivers/nfc/fdp/i2c.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c > index c4da50e07bbc..08a4f82a2965 100644 > --- a/drivers/nfc/fdp/i2c.c > +++ b/drivers/nfc/fdp/i2c.c > @@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) > /* Packet that contains a length */ > if (tmp[0] == 0 && tmp[1] == 0) { > phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; > + /* > + * Ensure next_read_size does not exceed sizeof(tmp) > + * for reading that many bytes during next iteration > + */ > + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { > + dev_dbg(&client->dev, "%s: corrupted packet\n", > + __func__); As Andy points out, no need for __func__ in any dev_dbg() call. thanks, greg k-h
On 23 April 2018 at 14:46, Greg KH <gregkh@linuxfoundation.org> wrote: > On Wed, Apr 18, 2018 at 03:35:04PM +0530, Amit Pundir wrote: >> From: Suren Baghdasaryan <surenb@google.com> >> >> Possible buffer overflow when reading next_read_size bytes into >> tmp buffer after next_read_size was extracted from a previous packet. >> >> Signed-off-by: Suren Baghdasaryan <surenb@google.com> >> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> >> --- >> drivers/nfc/fdp/i2c.c | 10 ++++++++++ >> 1 file changed, 10 insertions(+) >> >> diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c >> index c4da50e07bbc..08a4f82a2965 100644 >> --- a/drivers/nfc/fdp/i2c.c >> +++ b/drivers/nfc/fdp/i2c.c >> @@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) >> /* Packet that contains a length */ >> if (tmp[0] == 0 && tmp[1] == 0) { >> phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; >> + /* >> + * Ensure next_read_size does not exceed sizeof(tmp) >> + * for reading that many bytes during next iteration >> + */ >> + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { >> + dev_dbg(&client->dev, "%s: corrupted packet\n", >> + __func__); > > As Andy points out, no need for __func__ in any dev_dbg() call. Hi, Yes i'm working on v2 of this patch and on the comments I got on another patch in this series. Thanks, Amit Pundir > > thanks, > > greg k-h
diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c index c4da50e07bbc..08a4f82a2965 100644 --- a/drivers/nfc/fdp/i2c.c +++ b/drivers/nfc/fdp/i2c.c @@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) /* Packet that contains a length */ if (tmp[0] == 0 && tmp[1] == 0) { phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; + /* + * Ensure next_read_size does not exceed sizeof(tmp) + * for reading that many bytes during next iteration + */ + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { + dev_dbg(&client->dev, "%s: corrupted packet\n", + __func__); + phy->next_read_size = 5; + goto flush; + } } else { phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;