Commit 7f54bf16 authored Aug 17, 2017 by Suren Baghdasaryan Committed by Amit Pundir Aug 23, 2017

ANDROID: NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ



Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.

Bug: 62679012

Signed-off-by: Suren Baghdasaryan <surenb@google.com>

parent 6ad24e50

drivers/nfc/st21nfca/dep.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -217,7 +217,8 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,

		atr_req = (struct st21nfca_atr_req *)skb->data;

		if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
		if (atr_req->length < sizeof(struct st21nfca_atr_req) \|\|
		atr_req->length > skb->len) {
		r = -EPROTO;
		goto exit;
		}