From patchwork Wed Dec 20 19:51:24 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amit Pundir <amit.pundir@linaro.org>
X-Patchwork-Id: 10126479
X-Patchwork-Delegate: sameo@linux.intel.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	2CBE16019C for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 20 Dec 2017 19:51:54 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F91B29890
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 20 Dec 2017 19:51:54 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 146952989B; Wed, 20 Dec 2017 19:51:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 978AD29890
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 20 Dec 2017 19:51:53 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756552AbdLTTvv (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 20 Dec 2017 14:51:51 -0500
Received: from mail-pf0-f193.google.com ([209.85.192.193]:35644 "EHLO
	mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756774AbdLTTvr (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 20 Dec 2017 14:51:47 -0500
Received: by mail-pf0-f193.google.com with SMTP id j124so12995487pfc.2
	for <linux-wireless@vger.kernel.org>;
	Wed, 20 Dec 2017 11:51:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=TZBj15vhcZkL16Ta0GEOKA6YFvs3QXuieY8qcfuQ2Dg=;
	b=Q3SGWrIP5PNIWoVuBNRAsp8M9VTBLhmgqVRe9Dcqt96Nxw2YjJJgqc2Gx56VTsRRlW
	uo7uJ2GkbBuBn7VvHb7oSiGQGZLKV5+tBk3S5S06acutcx/00ipwPI/BZI08ndoh1ob4
	5zTd6mR9hqdTahXjuRCYc25nZ95k23+Oxajoc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=TZBj15vhcZkL16Ta0GEOKA6YFvs3QXuieY8qcfuQ2Dg=;
	b=rvA82/I2eH3kGUb1AkUZliueKuGzYZrV1XB6LJwPW3I1UYYUJRles7zniWcBpx/VgW
	Wk7lIQnDhlcdwxYio6y0OUGQf94JQ4XI6AYjhsft38J20MueGgM5wmcKvj3c26tnkdJc
	z9jNO/Dz9h71NSrViUlLIftNeQoIVXtsrCyFEm1CKBbtw+c1ldHPPCu+J+wbWl5v1qbO
	8HSug0DuQV4ijRAxG+1uV2U0SpRpTIKSqHX8FO9j7Fh0ZUrOQ+l/nzL3jptMhfRMf6cF
	C5ppPbFe9FyyedYhELX+PL8W21pQMmRKmJZkW8P51u4BRakOATh3EFmRa2JmB1nBwkBU
	4oXw==
X-Gm-Message-State: AKGB3mIGpANSTH+YdQlMhvw3uipvjN2tIF6+PPLWuLikXyGyuixiSjy2
	g0TWCWIu45koHyl/ele0tjHgJg==
X-Google-Smtp-Source: 
 ACJfBotp/Nz7IF4SFG99S1esEh0tNyR7Xl6mEagZxirsYam0hBYM7ap1Tt4hookc7kt5JWrGu98pUg==
X-Received: by 10.99.117.12 with SMTP id q12mr7407819pgc.412.1513799506827;
	Wed, 20 Dec 2017 11:51:46 -0800 (PST)
Received: from localhost.localdomain ([106.51.17.191])
	by smtp.gmail.com with ESMTPSA id
	g2sm36715867pfc.130.2017.12.20.11.51.43
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Dec 2017 11:51:45 -0800 (PST)
From: Amit Pundir <amit.pundir@linaro.org>
To: lkml <linux-kernel@vger.kernel.org>, linux-wireless@vger.kernel.org
Cc: Suren Baghdasaryan <surenb@google.com>,
	Samuel Ortiz <sameo@linux.intel.com>,
	Christophe Ricard <christophe.ricard@gmail.com>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	John Stultz <john.stultz@linaro.org>,
	Dmitry Shmidt <dimitrysh@google.com>, Todd Kjos <tkjos@google.com>,
	Android Kernel Team <kernel-team@android.com>
Subject: [RFC][PATCH 4/4] NFC: fdp: Fix possible buffer overflow in WCS4000
	NFC driver
Date: Thu, 21 Dec 2017 01:21:24 +0530
Message-Id: <1513799484-12505-5-git-send-email-amit.pundir@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org>
References: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Suren Baghdasaryan <surenb@google.com>

Possible buffer overflow when reading next_read_size bytes into
tmp buffer after next_read_size was extracted from a previous packet.

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
 drivers/nfc/fdp/i2c.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
index c4da50e07bbc..08a4f82a2965 100644
--- a/drivers/nfc/fdp/i2c.c
+++ b/drivers/nfc/fdp/i2c.c
@@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb)
 		/* Packet that contains a length */
 		if (tmp[0] == 0 && tmp[1] == 0) {
 			phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3;
+			/*
+			 * Ensure next_read_size does not exceed sizeof(tmp)
+			 * for reading that many bytes during next iteration
+			 */
+			if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) {
+				dev_dbg(&client->dev, "%s: corrupted packet\n",
+					__func__);
+				phy->next_read_size = 5;
+				goto flush;
+			}
 		} else {
 			phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;