| Message ID | 1525372736-25094-1-git-send-email-amit.pundir@linaro.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Samuel Ortiz |
| Headers | show |
Hi Amit, On Fri, May 04, 2018 at 12:08:53AM +0530, Amit Pundir wrote: > From: Suren Baghdasaryan <surenb@google.com> > > Out of bounds kernel accesses in st21nfca's NFC HCI layer > might happen when handling ATR_REQ events if user-specified > atr_req->length is bigger than the buffer size. In > that case memcpy() inside st21nfca_tm_send_atr_res() will > read extra bytes resulting in OOB read from the kernel heap. > > cc: Stable <stable@vger.kernel.org> > Signed-off-by: Suren Baghdasaryan <surenb@google.com> > Signed-off-by: Amit Pundir <amit.pundir@linaro.org> > Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> > --- > v3..v1: > Resend. No changes. > > drivers/nfc/st21nfca/dep.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) All 4 patches applied to nfc-next, thanks. Cheers, Samuel.
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index fd08be2917e6..3420c5104c94 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; }