Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 81ca7835 authored by Cong Wang's avatar Cong Wang Committed by Samuel Ortiz
Browse files

NFC: Use GFP_USER for user-controlled kmalloc 



These two functions are called in sendmsg path, and the
'len' is passed from user-space, so we should not allow
malicious users to OOM kernel on purpose.

Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Acked-by: default avatarEric Dumazet <edumazet@google.com>
Reviewed-by: default avatarJulian Calaby <julian.calaby@gmail.com>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
parent 667f0063

net/nfc/llcp_commands.c

+2 −2
Original line number Diff line number Diff line
@@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock, 
		return -ENOBUFS;

	}



	msg_data = kzalloc(len, GFP_KERNEL);

	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);

	if (msg_data == NULL)

		return -ENOMEM;
@@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, 
	if (local == NULL)

		return -ENODEV;



	msg_data = kzalloc(len, GFP_KERNEL);

	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);

	if (msg_data == NULL)

		return -ENOMEM;