[v3,1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

Message ID 1525372736-25094-1-git-send-email-amit.pundir@linaro.org
State New
Headers show
Series
  • [v3,1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ
Related show

Commit Message

Amit Pundir May 3, 2018, 6:38 p.m.
From: Suren Baghdasaryan <surenb@google.com>


Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.

cc: Stable <stable@vger.kernel.org>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

---
v3..v1:
Resend. No changes.

 drivers/nfc/st21nfca/dep.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

-- 
2.7.4

Patch

diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
index fd08be2917e6..3420c5104c94 100644
--- a/drivers/nfc/st21nfca/dep.c
+++ b/drivers/nfc/st21nfca/dep.c
@@ -217,7 +217,8 @@  static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
-	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+	if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
+	    atr_req->length > skb->len) {
 		r = -EPROTO;
 		goto exit;
 	}