diff options
author | Christophe Ricard <christophe.ricard@gmail.com> | 2014-08-11 00:04:56 +0200 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2014-09-08 00:07:44 +0200 |
commit | 56f1ffcccd784672654918f9214979b4918c2544 (patch) | |
tree | 9a7015cf87cc64844792febb32d0cd8e75124cb3 /drivers/nfc/st21nfca/st21nfca_dep.c | |
parent | a51577c9e3c49dbc44c821f9e170b96bbea716e3 (diff) |
NFC: st21nfca: Add condition to make sure atr_req->length is valid.
gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for
that could lead to a potential kernel oops.
We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req)
to avoid such situation.
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'drivers/nfc/st21nfca/st21nfca_dep.c')
-rw-r--r-- | drivers/nfc/st21nfca/st21nfca_dep.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c index b6de27b5011d..6c09a66d9a1d 100644 --- a/drivers/nfc/st21nfca/st21nfca_dep.c +++ b/drivers/nfc/st21nfca/st21nfca_dep.c @@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev, atr_req = (struct st21nfca_atr_req *)skb->data; + if (atr_req->length < sizeof(struct st21nfca_atr_req)) { + r = -EPROTO; + goto exit; + } + r = st21nfca_tm_send_atr_res(hdev, atr_req); if (r) goto exit; |