From: Christophe Ricard Date: Sun, 10 Aug 2014 22:04:56 +0000 (+0200) Subject: NFC: st21nfca: Add condition to make sure atr_req->length is valid. X-Git-Tag: firefly_0821_release~176^2~3001^2~75^2~80^2~20 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=56f1ffcccd784672654918f9214979b4918c2544;p=firefly-linux-kernel-4.4.55.git NFC: st21nfca: Add condition to make sure atr_req->length is valid. gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for that could lead to a potential kernel oops. We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req) to avoid such situation. Signed-off-by: Christophe Ricard Signed-off-by: Samuel Ortiz --- diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c index b6de27b5011d..6c09a66d9a1d 100644 --- a/drivers/nfc/st21nfca/st21nfca_dep.c +++ b/drivers/nfc/st21nfca/st21nfca_dep.c @@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; + if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + r = -EPROTO; + goto exit; + } + r = st21nfca_tm_send_atr_res(hdev, atr_req); if (r) goto exit;