NFC: st21nfca: Add condition to make sure atr_req->length is valid.
authorChristophe Ricard <christophe.ricard@gmail.com>
Sun, 10 Aug 2014 22:04:56 +0000 (00:04 +0200)
committerSamuel Ortiz <sameo@linux.intel.com>
Sun, 7 Sep 2014 22:07:44 +0000 (00:07 +0200)
gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for
that could lead to a potential kernel oops.
We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req)
to avoid such situation.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
drivers/nfc/st21nfca/st21nfca_dep.c

index b6de27b5011d0741e806d4312817662b04d16b54..6c09a66d9a1d9dfaa771819321756b6732d9e571 100644 (file)
@@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
        atr_req = (struct st21nfca_atr_req *)skb->data;
 
+       if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+               r = -EPROTO;
+               goto exit;
+       }
+
        r = st21nfca_tm_send_atr_res(hdev, atr_req);
        if (r)
                goto exit;