diff mbox series

nfc/nci: Add the inconsistency check between the input data length and count

Message ID tencent_53E8065F49BD2ECD2EC28C9AE7EC86EC5206@qq.com (mailing list archive)
State Accepted
Commit 068648aab72c9ba7b0597354ef4d81ffaac7b979
Delegated to: Netdev Maintainers
Headers show
Series nfc/nci: Add the inconsistency check between the input data length and count | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 902 this patch: 902
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 1 maintainers not CCed: bongsu.jeon@samsung.com
netdev/build_clang success Errors and warnings before: 906 this patch: 906
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 906 this patch: 906
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-05-29--12-00 (tests: 1040)

Commit Message

Edward Adam Davis May 28, 2024, 3:12 a.m. UTC 
write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf)

Syzbot constructed a write() call with a data length of 3 bytes but a count value
of 15, which passed too little data to meet the basic requirements of the function
nci_rf_intf_activated_ntf_packet().

Therefore, increasing the comparison between data length and count value to avoid
problems caused by inconsistent data length and count.

Reported-and-tested-by: syzbot+71bfed2b2bcea46c98f2@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/nfc/virtual_ncidev.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org May 29, 2024, 12:10 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Tue, 28 May 2024 11:12:31 +0800 you wrote:
> write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf)
> 
> Syzbot constructed a write() call with a data length of 3 bytes but a count value
> of 15, which passed too little data to meet the basic requirements of the function
> nci_rf_intf_activated_ntf_packet().
> 
> Therefore, increasing the comparison between data length and count value to avoid
> problems caused by inconsistent data length and count.
> 
> [...]

Here is the summary with links:
  - nfc/nci: Add the inconsistency check between the input data length and count
    https://git.kernel.org/netdev/net/c/068648aab72c

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
index 590b038e449e..6b89d596ba9a 100644
--- a/drivers/nfc/virtual_ncidev.c
+++ b/drivers/nfc/virtual_ncidev.c
@@ -125,6 +125,10 @@  static ssize_t virtual_ncidev_write(struct file *file,
 		kfree_skb(skb);
 		return -EFAULT;
 	}
+	if (strnlen(skb->data, count) != count) {
+		kfree_skb(skb);
+		return -EINVAL;
+	}
 
 	nci_recv_frame(vdev->ndev, skb);
 	return count;