diff options
author | Suren Baghdasaryan <surenb@google.com> | 2017-08-17 10:43:14 -0700 |
---|---|---|
committer | Suren Baghdasaryan <surenb@google.com> | 2017-08-18 22:05:07 +0000 |
commit | eb4610b979435c98821eefd716b6117a7ca0478d (patch) | |
tree | dce3206cce985c6a761641118fec6f21b0b78889 /drivers/nfc/st21nfca | |
parent | 8e7cf0b11e316ba11c7fc3b9bc3ba331f589cc98 (diff) |
ANDROID: NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ
Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.
Bug: 62679012
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Diffstat (limited to 'drivers/nfc/st21nfca')
-rw-r--r-- | drivers/nfc/st21nfca/dep.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c index 798a32bbac5d..206285210ab5 100644 --- a/drivers/nfc/st21nfca/dep.c +++ b/drivers/nfc/st21nfca/dep.c @@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; - if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + if (atr_req->length < sizeof(struct st21nfca_atr_req) || + atr_req->length > skb->len) { r = -EPROTO; goto exit; } |