Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit caa575a8 authored by Robert Dolca's avatar Robert Dolca Committed by Samuel Ortiz
Browse files

NFC: nci: fix possible crash in nci_core_conn_create 



If the number of destination speific parameters supplied is 0
the call will fail. If the first destination specific parameter
does not have a value, curr_id will be set to 0.

Signed-off-by: default avatarRobert Dolca <robert.dolca@intel.com>
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
parent 22e4bd09

net/nfc/nci/core.c

+8 −1
Original line number Diff line number Diff line
@@ -602,12 +602,19 @@ int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type, 
	if (!cmd)

		return -ENOMEM;



	if (!number_destination_params)

		return -EINVAL;



	cmd->destination_type = destination_type;

	cmd->number_destination_params = number_destination_params;

	memcpy(cmd->params, params, params_len);



	data.cmd = cmd;



	if (params->length > 0)

		ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];

	else

		ndev->cur_id = 0;



	r = __nci_request(ndev, nci_core_conn_create_req,

			  (unsigned long)&data,