NFC: nci: fix possible crash in nci_core_conn_create

If the number of destination speific parameters supplied is 0 the call will fail. If the first destination specific parameter does not have a value, curr_id will be set to 0. Signed-off-by: Robert Dolca <robert.dolca@intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
author: Robert Dolca <robert.dolca@intel.com> 2015-10-22 05:11:40 -0400
committer: Samuel Ortiz <sameo@linux.intel.com> 2015-10-25 15:29:05 -0400
commit: caa575a86ec1f177730cafa089d69ab4e424860c (patch)
tree: 1470623ae3570e1464697599c8bc8471c0c7f815 /net/nfc
parent: 22e4bd09c401905671f3787a8392d269a0ebfa0d (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index f66a5da85ddb..9d5f7a2b1d03 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -602,12 +602,19 @@ int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
        if (!cmd)
                return -ENOMEM;
+        if (!number_destination_params)
+                return -EINVAL;
        cmd->destination_type = destination_type;
        cmd->number_destination_params = number_destination_params;
        memcpy(cmd->params, params, params_len);
        data.cmd = cmd;
-        ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];
+        if (params->length > 0)
+                ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];
+        else
+                ndev->cur_id = 0;
        r = __nci_request(ndev, nci_core_conn_create_req,
                          (unsigned long)&data,
author	Robert Dolca <robert.dolca@intel.com>	2015-10-22 05:11:40 -0400
committer	Samuel Ortiz <sameo@linux.intel.com>	2015-10-25 15:29:05 -0400
commit	caa575a86ec1f177730cafa089d69ab4e424860c (patch)
tree	1470623ae3570e1464697599c8bc8471c0c7f815 /net/nfc
parent	22e4bd09c401905671f3787a8392d269a0ebfa0d (diff)

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index f66a5da85ddb..9d5f7a2b1d03 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c
@@ -602,12 +602,19 @@ int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
602	if (!cmd)	602	if (!cmd)
603	return -ENOMEM;	603	return -ENOMEM;
604		604
		605	if (!number_destination_params)
		606	return -EINVAL;
		607
605	cmd->destination_type = destination_type;	608	cmd->destination_type = destination_type;
606	cmd->number_destination_params = number_destination_params;	609	cmd->number_destination_params = number_destination_params;
607	memcpy(cmd->params, params, params_len);	610	memcpy(cmd->params, params, params_len);
608		611
609	data.cmd = cmd;	612	data.cmd = cmd;
610	ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];	613
		614	if (params->length > 0)
		615	ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];
		616	else
		617	ndev->cur_id = 0;
611		618
612	r = __nci_request(ndev, nci_core_conn_create_req,	619	r = __nci_request(ndev, nci_core_conn_create_req,
613	(unsigned long)&data,	620	(unsigned long)&data,