summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorJordy Zomer <jordy@pwning.systems>2022-01-11 19:44:51 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-03-28 09:46:43 +0300
commit0aef7184630b599493a0dcad4eec6d42b3e68e91 (patch)
treeeaed11ac99219aa0e14793dcf03c8eb1afe6e2c3 /drivers
parent628adfa21815f74c04724abc85847f24b5dd1645 (diff)
downloadlinux-0aef7184630b599493a0dcad4eec6d42b3e68e91.tar.xz
nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream. It appears that there are some buffer overflows in EVT_TRANSACTION. This happens because the length parameters that are passed to memcpy come directly from skb->data and are not guarded in any way. Signed-off-by: Jordy Zomer <jordy@pwning.systems> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/nfc/st21nfca/se.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
index 6586378cacb0..a7ab6dab0f32 100644
--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -321,6 +321,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
return -ENOMEM;
transaction->aid_len = skb->data[1];
+
+ /* Checking if the length of the AID is valid */
+ if (transaction->aid_len > sizeof(transaction->aid))
+ return -EINVAL;
+
memcpy(transaction->aid, &skb->data[2],
transaction->aid_len);
@@ -330,6 +335,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
return -EPROTO;
transaction->params_len = skb->data[transaction->aid_len + 3];
+
+ /* Total size is allocated (skb->len - 2) minus fixed array members */
+ if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+ return -EINVAL;
+
memcpy(transaction->params, skb->data +
transaction->aid_len + 4, transaction->params_len);
generated by cgit v1.2.3 (git 2.39.0) at 2024-10-12 15:47:33 +0300