NFC: microread: Potential overflows in microread_target_discovered() (d07f1e86) · Commits · e / devices / android_kernel_teracube_2e

drivers/nfc/microread/microread.c

+12 −4

Original line number	Diff line number	Diff line
		@@ -501,9 +501,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate,
		targets->sens_res =
		be16_to_cpu((u16 )&skb->data[MICROREAD_EMCF_A_ATQA]);
		targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK];
		memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
		skb->data[MICROREAD_EMCF_A_LEN]);
		targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN];
		if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
		r = -EINVAL;
		goto exit_free;
		}
		memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
		targets->nfcid1_len);
		break;
		case MICROREAD_GATE_ID_MREAD_ISO_A_3:
		targets->supported_protocols =
		@@ -511,9 +515,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate,
		targets->sens_res =
		be16_to_cpu((u16 )&skb->data[MICROREAD_EMCF_A3_ATQA]);
		targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK];
		memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
		skb->data[MICROREAD_EMCF_A3_LEN]);
		targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN];
		if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
		r = -EINVAL;
		goto exit_free;
		}
		memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
		targets->nfcid1_len);
		break;
		case MICROREAD_GATE_ID_MREAD_ISO_B:
		targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK;