Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5d0bed6 authored by Suren Baghdasaryan's avatar Suren Baghdasaryan Committed by Amit Pundir
Browse files

ANDROID: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands



When handling SHDLC I-Frame commands "pipe" field used for indexing
into an array should be checked before usage. If left unchecked it
might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).

Bug: 62679701

Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
parent cb450f79
Loading
Loading
Loading
Loading
+10 −0
Original line number Original line Diff line number Diff line
@@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
		}
		}
		create_info = (struct hci_create_pipe_resp *)skb->data;
		create_info = (struct hci_create_pipe_resp *)skb->data;


		if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
			status = NFC_HCI_ANY_E_NOK;
			goto exit;
		}

		/* Save the new created pipe and bind with local gate,
		/* Save the new created pipe and bind with local gate,
		 * the description for skb->data[3] is destination gate id
		 * the description for skb->data[3] is destination gate id
		 * but since we received this cmd from host controller, we
		 * but since we received this cmd from host controller, we
@@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
		}
		}
		delete_info = (struct hci_delete_pipe_noti *)skb->data;
		delete_info = (struct hci_delete_pipe_noti *)skb->data;


		if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
			status = NFC_HCI_ANY_E_NOK;
			goto exit;
		}

		hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
		hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
		hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
		hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
		break;
		break;