NFC: st21nfca: Add condition to make sure atr_req->length is valid.

gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for that could lead to a potential kernel oops. We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req) to avoid such situation. Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

NFC: st21nfca: Add condition to make sure atr_req->length is valid.
gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for that could lead to a potential kernel oops. We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req) to avoid such situation. Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
56f1ffcc · Christophe Ricard · Samuel Ortiz · a51577c9 · 56f1ffcc
Commit 56f1ffcc authored Aug 11, 2014 by Christophe Ricard Committed by Samuel Ortiz Sep 08, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

drivers/nfc/st21nfca/st21nfca_dep.c drivers/nfc/st21nfca/st21nfca_dep.c +5 -0

No files found.
--- a/drivers/nfc/st21nfca/st21nfca_dep.c
+++ b/drivers/nfc/st21nfca/st21nfca_dep.c
@@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 	atr_req = (struct st21nfca_atr_req *)skb->data;
+	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+		r = -EPROTO;
+		goto exit;
+	}
 	r = st21nfca_tm_send_atr_res(hdev, atr_req);
 	if (r)
 		goto exit;