diff options
| author | Christophe Ricard <christophe.ricard@gmail.com> | 2014-08-10 18:04:56 -0400 |
|---|---|---|
| committer | Samuel Ortiz <sameo@linux.intel.com> | 2014-09-07 18:07:44 -0400 |
| commit | 56f1ffcccd784672654918f9214979b4918c2544 (patch) | |
| tree | 9a7015cf87cc64844792febb32d0cd8e75124cb3 /drivers/nfc | |
| parent | a51577c9e3c49dbc44c821f9e170b96bbea716e3 (diff) | |
NFC: st21nfca: Add condition to make sure atr_req->length is valid.
gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for
that could lead to a potential kernel oops.
We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req)
to avoid such situation.
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'drivers/nfc')
| -rw-r--r-- | drivers/nfc/st21nfca/st21nfca_dep.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c index b6de27b5011d..6c09a66d9a1d 100644 --- a/drivers/nfc/st21nfca/st21nfca_dep.c +++ b/drivers/nfc/st21nfca/st21nfca_dep.c | |||
| @@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, | |||
| 211 | 211 | ||
| 212 | atr_req = (struct st21nfca_atr_req *)skb->data; | 212 | atr_req = (struct st21nfca_atr_req *)skb->data; |
| 213 | 213 | ||
| 214 | if (atr_req->length < sizeof(struct st21nfca_atr_req)) { | ||
| 215 | r = -EPROTO; | ||
| 216 | goto exit; | ||
| 217 | } | ||
| 218 | |||
| 214 | r = st21nfca_tm_send_atr_res(hdev, atr_req); | 219 | r = st21nfca_tm_send_atr_res(hdev, atr_req); |
| 215 | if (r) | 220 | if (r) |
| 216 | goto exit; | 221 | goto exit; |