summaryrefslogtreecommitdiffstats
path: root/net/nfc
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2019-04-03 10:12:48 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-05-16 19:42:32 +0200
commit205db528f3ae1b6bb534f05a64c0c166f95a01d2 (patch)
treec27b8d5529b30dbfd209a2edc8d2519205cce363 /net/nfc
parentb2e74c86dd083ffbbe15f506ebf54c1a623a15b7 (diff)
downloadlinux-stable-205db528f3ae1b6bb534f05a64c0c166f95a01d2.tar.gz
linux-stable-205db528f3ae1b6bb534f05a64c0c166f95a01d2.tar.bz2
linux-stable-205db528f3ae1b6bb534f05a64c0c166f95a01d2.zip
NFC: nci: Add some bounds checking in nci_hci_cmd_received()
[ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ] This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory corruption when handling SHDLC I-Frame commands"). I'm not totally sure, but I think that commit description may have overstated the danger. I was under the impression that this data came from the firmware? If you can't trust your networking firmware, then you're already in trouble. Anyway, these days we add bounds checking where ever we can and we call it kernel hardening. Better safe than sorry. Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Diffstat (limited to 'net/nfc')
-rw-r--r--net/nfc/nci/hci.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
index ddfc52ac1f9b..c0d323b58e73 100644
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
create_info = (struct nci_hci_create_pipe_resp *)skb->data;
dest_gate = create_info->dest_gate;
new_pipe = create_info->pipe;
+ if (new_pipe >= NCI_HCI_MAX_PIPES) {
+ status = NCI_HCI_ANY_E_NOK;
+ goto exit;
+ }
/* Save the new created pipe and bind with local gate,
* the description for skb->data[3] is destination gate id
@@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
goto exit;
}
delete_info = (struct nci_hci_delete_pipe_noti *)skb->data;
+ if (delete_info->pipe >= NCI_HCI_MAX_PIPES) {
+ status = NCI_HCI_ANY_E_NOK;
+ goto exit;
+ }
ndev->hci_dev->pipes[delete_info->pipe].gate =
NCI_HCI_INVALID_GATE;