1 files changed, 8 insertions, 1 deletions

diff --git a/drivers/nfc/st21nfcb/st21nfcb_se.c b/drivers/nfc/st21nfcb/st21nfcb_se.c
index 6df7b950d0e9..24862a525fb5 100644
--- a/drivers/nfc/st21nfcb/st21nfcb_se.c
+++ b/drivers/nfc/st21nfcb/st21nfcb_se.c
@@ -321,6 +321,12 @@ static int st21nfcb_hci_connectivity_event_received(struct nci_dev *ndev,
 
         break;
         case ST21NFCB_EVT_TRANSACTION:
+                /* According to specification etsi 102 622
+                 * 11.2.2.4 EVT_TRANSACTION Table 52
+                 * Description  Tag     Length
+                 * AID          81      5 to 16
+                 * PARAMETERS   82      0 to 255
+                 */
                 if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
                     skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
                         return -EPROTO;
@@ -329,8 +335,9 @@ static int st21nfcb_hci_connectivity_event_received(struct nci_dev *ndev,
                                             skb->len - 2, GFP_KERNEL);
 
                 transaction->aid_len = skb->data[1];
-                memcpy(transaction->aid, &skb->data[2], skb->data[1]);
+                memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
 
+                /* Check next byte is PARAMETERS tag (82) */
                 if (skb->data[transaction->aid_len + 2] !=
                     NFC_EVT_TRANSACTION_PARAMS_TAG)
                         return -EPROTO;