shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-08 03:40:35 +09:00
Code Issues Packages Projects Releases Wiki Activity

ANDROID: NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ

Browse Source 
Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.

Bug: 62679012

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
Suren Baghdasaryan
2017-08-17 10:43:14 -07:00
committed by Amit Pundir
parent a47cfd8585
commit e86be20135
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/nfc/st21nfca/dep.c
View File

@@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
atr_req = (struct st21nfca_atr_req *)skb->data;
if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
atr_req->length > skb->len) {
r = -EPROTO;
goto exit;
}