ANDROID: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands (a5d0bed6) · Commits · e / devices / android_kernel_oneplus_sm8150

net/nfc/hci/core.c

+10 −0

Original line number	Original line	Diff line number	Diff line
	@@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
	}		}
	create_info = (struct hci_create_pipe_resp *)skb->data;		create_info = (struct hci_create_pipe_resp *)skb->data;

			if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
			status = NFC_HCI_ANY_E_NOK;
			goto exit;
			}

	/* Save the new created pipe and bind with local gate,		/* Save the new created pipe and bind with local gate,
	* the description for skb->data[3] is destination gate id		* the description for skb->data[3] is destination gate id
	* but since we received this cmd from host controller, we		* but since we received this cmd from host controller, we
	@@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
	}		}
	delete_info = (struct hci_delete_pipe_noti *)skb->data;		delete_info = (struct hci_delete_pipe_noti *)skb->data;

			if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
			status = NFC_HCI_ANY_E_NOK;
			goto exit;
			}

	hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;		hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
	hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;		hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
	break;		break;