| Message ID | 1525283288-7027-4-git-send-email-amit.pundir@linaro.org (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Samuel Ortiz |
| Headers | show |
On Wed, 2018-05-02 at 23:18 +0530, Amit Pundir wrote: > From: Suren Baghdasaryan <surenb@google.com> > > Possible buffer overflow when reading next_read_size bytes into > tmp buffer after next_read_size was extracted from a previous packet. > > Signed-off-by: Suren Baghdasaryan <surenb@google.com> > Signed-off-by: Amit Pundir <amit.pundir@linaro.org> > --- > v2: > Remove redundant __func__ from dev_dgb(). > > drivers/nfc/fdp/i2c.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c > index c4da50e..b80d1ad 100644 > --- a/drivers/nfc/fdp/i2c.c > +++ b/drivers/nfc/fdp/i2c.c > @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy > *phy, struct sk_buff **skb) > /* Packet that contains a length */ > if (tmp[0] == 0 && tmp[1] == 0) { > phy->next_read_size = (tmp[2] << 8) + tmp[3] > + 3; > + /* > + * Ensure next_read_size does not exceed > sizeof(tmp) > + * for reading that many bytes during next > iteration > + */ > + if (phy->next_read_size > > FDP_NCI_I2C_MAX_PAYLOAD) { > + dev_dbg(&client->dev, "corrupted > packet\n"); > + phy->next_read_size = 5; Shouldn't be this magic replaced by phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; ? > + goto flush; > + } > } else { > phy->next_read_size = > FDP_NCI_I2C_MIN_PAYLOAD; >
On 3 May 2018 at 15:50, Andy Shevchenko <andriy.shevchenko@linux.intel.com> wrote: > On Wed, 2018-05-02 at 23:18 +0530, Amit Pundir wrote: >> From: Suren Baghdasaryan <surenb@google.com> >> >> Possible buffer overflow when reading next_read_size bytes into >> tmp buffer after next_read_size was extracted from a previous packet. >> >> Signed-off-by: Suren Baghdasaryan <surenb@google.com> >> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> >> --- >> v2: >> Remove redundant __func__ from dev_dgb(). >> >> drivers/nfc/fdp/i2c.c | 9 +++++++++ >> 1 file changed, 9 insertions(+) >> >> diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c >> index c4da50e..b80d1ad 100644 >> --- a/drivers/nfc/fdp/i2c.c >> +++ b/drivers/nfc/fdp/i2c.c >> @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy >> *phy, struct sk_buff **skb) >> /* Packet that contains a length */ >> if (tmp[0] == 0 && tmp[1] == 0) { >> phy->next_read_size = (tmp[2] << 8) + tmp[3] >> + 3; >> + /* >> + * Ensure next_read_size does not exceed >> sizeof(tmp) >> + * for reading that many bytes during next >> iteration >> + */ >> + if (phy->next_read_size > >> FDP_NCI_I2C_MAX_PAYLOAD) { >> + dev_dbg(&client->dev, "corrupted >> packet\n"); > >> + phy->next_read_size = 5; > > Shouldn't be this magic replaced by > > phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; > > ? Ack. Fixing it in v3. Regards, Amit Pundir > >> + goto flush; >> + } >> } else { >> phy->next_read_size = >> FDP_NCI_I2C_MIN_PAYLOAD; >> > > -- > Andy Shevchenko <andriy.shevchenko@linux.intel.com> > Intel Finland Oy
diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c index c4da50e..b80d1ad 100644 --- a/drivers/nfc/fdp/i2c.c +++ b/drivers/nfc/fdp/i2c.c @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) /* Packet that contains a length */ if (tmp[0] == 0 && tmp[1] == 0) { phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; + /* + * Ensure next_read_size does not exceed sizeof(tmp) + * for reading that many bytes during next iteration + */ + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { + dev_dbg(&client->dev, "corrupted packet\n"); + phy->next_read_size = 5; + goto flush; + } } else { phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;