Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b670126 authored by Suren Baghdasaryan's avatar Suren Baghdasaryan Committed by Amit Pundir
Browse files

ANDROID: NFC: st21nfca: Fix memory OOB and leak issues in connectivity events handler 



Overflow on memcpy is possible in kernel driver for st21nfca's
NFC HCI layer when handling connectivity events if aid_len or
params_len are bigger than the buffer size.
Memory leak is possible when parameter tag is invalid.

Bug: 62679581

Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
parent 4818d4b1

drivers/nfc/st21nfca/se.c

+14 −4
Original line number Diff line number Diff line
@@ -322,23 +322,33 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, 
		 * AID		81	5 to 16

		 * PARAMETERS	82	0 to 255

		 */

		if (skb->len < NFC_MIN_AID_LENGTH + 2 &&

		if (skb->len < NFC_MIN_AID_LENGTH + 2 ||

		    skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)

			return -EPROTO;



		/*

		 * Buffer should have enough space for at least

		 * two tag fields + two length fields + aid_len (skb->data[1])

		 */

		if (skb->len < skb->data[1] + 4)

			return -EPROTO;



		transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev,

						   skb->len - 2, GFP_KERNEL);



		transaction->aid_len = skb->data[1];

		memcpy(transaction->aid, &skb->data[2],

		       transaction->aid_len);

		transaction->params_len = skb->data[transaction->aid_len + 3];



		/* Check next byte is PARAMETERS tag (82) */

		/* Check next byte is PARAMETERS tag (82) and the length field */

		if (skb->data[transaction->aid_len + 2] !=

		    NFC_EVT_TRANSACTION_PARAMS_TAG)

		    NFC_EVT_TRANSACTION_PARAMS_TAG ||

		    skb->len < transaction->aid_len + transaction->params_len + 4) {

			devm_kfree(dev, transaction);

			return -EPROTO;

		}



		transaction->params_len = skb->data[transaction->aid_len + 3];

		memcpy(transaction->params, skb->data +

		       transaction->aid_len + 4, transaction->params_len);