From patchwork Fri Feb  9 20:04:47 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10209951
X-Patchwork-Delegate: sameo@linux.intel.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E469760245 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  9 Feb 2018 20:05:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB41528F0F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  9 Feb 2018 20:05:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BE6DE2995D; Fri,  9 Feb 2018 20:05:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 773AF28F0F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  9 Feb 2018 20:05:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752766AbeBIUEw (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 9 Feb 2018 15:04:52 -0500
Received: from mail-pg0-f65.google.com ([74.125.83.65]:44116 "EHLO
	mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752558AbeBIUEu (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 9 Feb 2018 15:04:50 -0500
Received: by mail-pg0-f65.google.com with SMTP id j9so3749497pgp.11
	for <linux-wireless@vger.kernel.org>;
	Fri, 09 Feb 2018 12:04:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
	bh=LFxt0PYlZRLbCv3qweOWuOa26yi8RIOHxhbhmHTSf8M=;
	b=SCBql68mHCMGQzji57lsG8jGh+SbHzmIX3TjqzKZGMCFQ92B+/aMq0YSpNhYH3F/bC
	VdqvWCoNbJMDLgojm2cPuNueCSNJEaM/f6ftxdQI74Y4DVP4mVsr0ATUnxEhh+VR0xsx
	HYiBH7TVUL5QwXsVrYReIErpGuUOIIBGaDJ04=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition;
	bh=LFxt0PYlZRLbCv3qweOWuOa26yi8RIOHxhbhmHTSf8M=;
	b=eEybP6E43plw3pqQL4OzFg1GWAjGXg6tRSC/0mJc55SO564R2+G4+rBz0Itx2DNlYp
	xk6xxc82YnCxAzKej6t2s8GU2kSrrqkfOYpVOm3intNI+EjHXCVXjIEMsb6MP1azpTb/
	IwlBtqEXijdzTZZmeMRK01/b7AEpe5gMd8uhH0NrZDH73yWUc7lCS6FOlVZMIJlBiuDP
	+3M0SqeS1FdT6HTX6nYHbA+KZv3b/2OLYzovhcJvMTb1VctfiTyZDsk1lOD3AXmSxHvs
	9iXo4N1Ch0Z/wUvYWOYRq0JBi2TGTR1DHDhMeY3HV5YpR2nJ28i8pqf15ooLBlPzNY1w
	hMdg==
X-Gm-Message-State: APf1xPCZ/XzptQytpUUyHonOS3TVtAHbkcoHrh0DaZrLIXcRVQa9Ob8C
	lVzzMNy6ent6KV7wNm/nlIxghg==
X-Google-Smtp-Source: 
 AH8x224eJNQhuwNXqeYPrzUp0B1f2E9EbO2S4WjrMdZBuNLgGMFo3hdZJGTzDE8IHWaz7/YEH8yvHA==
X-Received: by 10.99.181.4 with SMTP id y4mr3378766pge.344.1518206689993;
	Fri, 09 Feb 2018 12:04:49 -0800 (PST)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	n1sm7378919pge.19.2018.02.09.12.04.48
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 09 Feb 2018 12:04:48 -0800 (PST)
Date: Fri, 9 Feb 2018 12:04:47 -0800
From: Kees Cook <keescook@chromium.org>
To: Samuel Ortiz <sameo@linux.intel.com>
Cc: Thierry Escande <thierry.escande@linux.intel.com>,
	linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] NFC: llcp: Limit size of SDP URI
Message-ID: <20180209200447.GA33465@beast>
MIME-Version: 1.0
Content-Disposition: inline
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
this both in the NLA policy and in the code that performs the allocation
and copy.

Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Alternatively, tlv_len switch to size_t, but we'd still have to do the "-4"
calculation.
---
 net/nfc/llcp_commands.c | 4 ++++
 net/nfc/netlink.c       | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 367d8c027101..2ceefa183cee 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
 
 	pr_debug("uri: %s, len: %zu\n", uri, uri_len);
 
+	/* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
+	if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
+		return NULL;
+
 	sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
 	if (sdreq == NULL)
 		return NULL;
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index c0b83dc9d993..f018eafc2a0d 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -61,7 +61,8 @@ static const struct nla_policy nfc_genl_policy[NFC_ATTR_MAX + 1] = {
 };
 
 static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
-	[NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
+	[NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
+			       .len = U8_MAX - 4 },
 	[NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
 };