Commit 56f1ffcc authored by Christophe Ricard's avatar Christophe Ricard Committed by Samuel Ortiz

NFC: st21nfca: Add condition to make sure atr_req->length is valid.

gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for
that could lead to a potential kernel oops.
We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req)
to avoid such situation.
Signed-off-by: default avatarChristophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
parent a51577c9
......@@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
atr_req = (struct st21nfca_atr_req *)skb->data;
if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
r = -EPROTO;
goto exit;
}
r = st21nfca_tm_send_atr_res(hdev, atr_req);
if (r)
goto exit;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment