diff options
author | Suren Baghdasaryan <surenb@google.com> | 2018-05-04 00:08:55 +0530 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2018-06-08 22:37:12 -0400 |
commit | 430c62fa23d4806488cf7d4a226a4638f1945363 (patch) | |
tree | 8087c9db4ec9f92b1a57061d16e0a254a9861c56 /drivers/nfc | |
parent | 761e37b71e26de04de744794ef7155d41a78a8dd (diff) | |
download | linux-next-430c62fa23d4806488cf7d4a226a4638f1945363.tar.gz |
NFC: fdp: Fix possible buffer overflow in WCS4000 NFC driver
Possible buffer overflow when reading next_read_size bytes into
tmp buffer after next_read_size was extracted from a previous packet.
cc: Stable <stable@vger.kernel.org>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'drivers/nfc')
-rw-r--r-- | drivers/nfc/fdp/i2c.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c index c4da50e07bbc..2c5ed2224c5e 100644 --- a/drivers/nfc/fdp/i2c.c +++ b/drivers/nfc/fdp/i2c.c @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) /* Packet that contains a length */ if (tmp[0] == 0 && tmp[1] == 0) { phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; + /* + * Ensure next_read_size does not exceed sizeof(tmp) + * for reading that many bytes during next iteration + */ + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { + dev_dbg(&client->dev, "corrupted packet\n"); + phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; + goto flush; + } } else { phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; |