From patchwork Thu May 3 18:38:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 10378897 X-Patchwork-Delegate: sameo@linux.intel.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9D51760327 for ; Thu, 3 May 2018 18:39:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 85EB1291C6 for ; Thu, 3 May 2018 18:39:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7899D2923D; Thu, 3 May 2018 18:39:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A431291C6 for ; Thu, 3 May 2018 18:39:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751361AbeECSjv (ORCPT ); Thu, 3 May 2018 14:39:51 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:39766 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751140AbeECSjM (ORCPT ); Thu, 3 May 2018 14:39:12 -0400 Received: by mail-pf0-f194.google.com with SMTP id a22so1309267pfn.6 for ; Thu, 03 May 2018 11:39:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=xcTzDdC7kS4mNsgue4/ljEInDC8m7hROwHlFKZV6S2A=; b=b/Z2FoHQadStTl9MRI1QOPXDPek+lb/owsHVmVfQGbPapexttKFhyTzH2eP9ljgkU7 c+r3y1CFWz+PS1QhgjqhzmS8OO4soBVAkw2b5mmy9Upa5EYWJIMIBrLfCpUXlQNDt5Dr K+cKx58NDXg9FO60wpXKpeBTtiRbiZ9Ckrk88= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=xcTzDdC7kS4mNsgue4/ljEInDC8m7hROwHlFKZV6S2A=; b=oX+hiH4h7fBPdnMt03mjS46IJQX8cKnp4j65ov19UePkzNuHw2uq//Yyxa35mILoFh 0Qo87cFt6uFzvZTc345/c4yaZBQd6oIOVXBjjVvbJJ+S6StrMJXWavnTPEJY9moRmAMh UQhRkBAFAmbxef3oiqZVXsmMB+WUV7pHy0lc0trzGJZKw3ApTDqRq60bLXwlyi0ucbCD tISBZbBTiIP7SzUe06MmYy/51gmYEYaMiOm+QHu1Zzw81cptVO+mH2PtAU4bAC9KGexw xZ8VaUGZTnvrUljjJx+xOKgi0FGr6EGVNxlm7JU7J1PcNIFh/U1GXnRsUJbLpBkqNeh6 bnQw== X-Gm-Message-State: ALQs6tBvWSSeUK/vomc/cWC9vB293QN/WMY6nPAbvG9NAUw9Mmp4VSe7 hWICZwdk1qCIyb+4f2/g+JggAA== X-Google-Smtp-Source: AB8JxZoPEValrlApAkRFmRUgTIPfhujAMbDYcGDITolgOiiAHq/U4ujHYKfGQfApCAyW9/GSjPpRMg== X-Received: by 2002:a65:5c88:: with SMTP id a8-v6mr19662997pgt.373.1525372750698; Thu, 03 May 2018 11:39:10 -0700 (PDT) Received: from localhost.localdomain ([106.51.17.226]) by smtp.gmail.com with ESMTPSA id o5-v6sm4130786pgv.47.2018.05.03.11.39.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 May 2018 11:39:09 -0700 (PDT) From: Amit Pundir To: lkml , linux-wireless@vger.kernel.org Cc: Suren Baghdasaryan , Samuel Ortiz , Christophe Ricard , Andy Shevchenko , Greg KH , John Stultz , Dmitry Shmidt , Todd Kjos , Android Kernel Team , Stable Subject: [PATCH v3 3/4] NFC: fdp: Fix possible buffer overflow in WCS4000 NFC driver Date: Fri, 4 May 2018 00:08:55 +0530 Message-Id: <1525372736-25094-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1525372736-25094-1-git-send-email-amit.pundir@linaro.org> References: <1525372736-25094-1-git-send-email-amit.pundir@linaro.org> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Suren Baghdasaryan Possible buffer overflow when reading next_read_size bytes into tmp buffer after next_read_size was extracted from a previous packet. cc: Stable Signed-off-by: Suren Baghdasaryan Signed-off-by: Amit Pundir Reviewed-by: Andy Shevchenko --- v3: Reset next_read_size to a more readable macro FDP_NCI_I2C_MIN_PAYLOAD instead of 5. v2: Remove redundant __func__ from dev_dgb(). drivers/nfc/fdp/i2c.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c index c4da50e07bbc..2c5ed2224c5e 100644 --- a/drivers/nfc/fdp/i2c.c +++ b/drivers/nfc/fdp/i2c.c @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) /* Packet that contains a length */ if (tmp[0] == 0 && tmp[1] == 0) { phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; + /* + * Ensure next_read_size does not exceed sizeof(tmp) + * for reading that many bytes during next iteration + */ + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { + dev_dbg(&client->dev, "corrupted packet\n"); + phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; + goto flush; + } } else { phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;