ANDROID: NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. Bug: 62679012 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
author: Suren Baghdasaryan <surenb@google.com> 2017-08-17 10:43:14 -0700
committer: Suren Baghdasaryan <surenb@google.com> 2017-08-18 22:05:07 +0000
commit: eb4610b979435c98821eefd716b6117a7ca0478d (patch)
tree: dce3206cce985c6a761641118fec6f21b0b78889 /drivers/nfc/st21nfca
parent: 8e7cf0b11e316ba11c7fc3b9bc3ba331f589cc98 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
index 798a32bbac5d..206285210ab5 100644
--- a/drivers/nfc/st21nfca/dep.c
+++ b/drivers/nfc/st21nfca/dep.c
@@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
-	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+	if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
+	    atr_req->length > skb->len) {
 		r = -EPROTO;
 		goto exit;
 	}
author	Suren Baghdasaryan <surenb@google.com>	2017-08-17 10:43:14 -0700
committer	Suren Baghdasaryan <surenb@google.com>	2017-08-18 22:05:07 +0000
commit	eb4610b979435c98821eefd716b6117a7ca0478d (patch)
tree	dce3206cce985c6a761641118fec6f21b0b78889 /drivers/nfc/st21nfca
parent	8e7cf0b11e316ba11c7fc3b9bc3ba331f589cc98 (diff)