diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-09-01 13:27:29 -0400 |
|---|---|---|
| committer | Samuel Ortiz <sameo@linux.intel.com> | 2014-09-04 18:57:32 -0400 |
| commit | d07f1e8600ccb885c8f4143402b8912f7d827bcb (patch) | |
| tree | 424bdab667951fb952c2cfe1951a1b028d1d0b59 /drivers/nfc/microread | |
| parent | 1bd3fa7b8c9b2936c16c6e6452f9cc991c405872 (diff) | |
NFC: microread: Potential overflows in microread_target_discovered()
Smatch says that skb->data is untrusted so we need to check to make sure
that the memcpy() doesn't overflow.
Fixes: cfad1ba87150 ('NFC: Initial support for Inside Secure microread')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'drivers/nfc/microread')
| -rw-r--r-- | drivers/nfc/microread/microread.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/drivers/nfc/microread/microread.c b/drivers/nfc/microread/microread.c index f868333271aa..963a4a5dc88e 100644 --- a/drivers/nfc/microread/microread.c +++ b/drivers/nfc/microread/microread.c | |||
| @@ -501,9 +501,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate, | |||
| 501 | targets->sens_res = | 501 | targets->sens_res = |
| 502 | be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]); | 502 | be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]); |
| 503 | targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK]; | 503 | targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK]; |
| 504 | memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], | ||
| 505 | skb->data[MICROREAD_EMCF_A_LEN]); | ||
| 506 | targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN]; | 504 | targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN]; |
| 505 | if (targets->nfcid1_len > sizeof(targets->nfcid1)) { | ||
| 506 | r = -EINVAL; | ||
| 507 | goto exit_free; | ||
| 508 | } | ||
| 509 | memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], | ||
| 510 | targets->nfcid1_len); | ||
| 507 | break; | 511 | break; |
| 508 | case MICROREAD_GATE_ID_MREAD_ISO_A_3: | 512 | case MICROREAD_GATE_ID_MREAD_ISO_A_3: |
| 509 | targets->supported_protocols = | 513 | targets->supported_protocols = |
| @@ -511,9 +515,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate, | |||
| 511 | targets->sens_res = | 515 | targets->sens_res = |
| 512 | be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]); | 516 | be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]); |
| 513 | targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK]; | 517 | targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK]; |
| 514 | memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], | ||
| 515 | skb->data[MICROREAD_EMCF_A3_LEN]); | ||
| 516 | targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN]; | 518 | targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN]; |
| 519 | if (targets->nfcid1_len > sizeof(targets->nfcid1)) { | ||
| 520 | r = -EINVAL; | ||
| 521 | goto exit_free; | ||
| 522 | } | ||
| 523 | memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], | ||
| 524 | targets->nfcid1_len); | ||
| 517 | break; | 525 | break; |
| 518 | case MICROREAD_GATE_ID_MREAD_ISO_B: | 526 | case MICROREAD_GATE_ID_MREAD_ISO_B: |
| 519 | targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK; | 527 | targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK; |