Skip to content

Commit 4fbcc1a

Browse files
JordyZomerdavem330
authored andcommitted
nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
It appears that there are some buffer overflows in EVT_TRANSACTION. This happens because the length parameters that are passed to memcpy come directly from skb->data and are not guarded in any way. Signed-off-by: Jordy Zomer <jordy@pwning.systems> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 2a4d75b commit 4fbcc1a

File tree

1 file changed

+10
-0
lines changed
  • drivers/nfc/st21nfca

1 file changed

+10
-0
lines changed

Diff for: drivers/nfc/st21nfca/se.c

+10
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
316316
return -ENOMEM;
317317

318318
transaction->aid_len = skb->data[1];
319+
320+
/* Checking if the length of the AID is valid */
321+
if (transaction->aid_len > sizeof(transaction->aid))
322+
return -EINVAL;
323+
319324
memcpy(transaction->aid, &skb->data[2],
320325
transaction->aid_len);
321326

@@ -325,6 +330,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
325330
return -EPROTO;
326331

327332
transaction->params_len = skb->data[transaction->aid_len + 3];
333+
334+
/* Total size is allocated (skb->len - 2) minus fixed array members */
335+
if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
336+
return -EINVAL;
337+
328338
memcpy(transaction->params, skb->data +
329339
transaction->aid_len + 4, transaction->params_len);
330340

0 commit comments

Comments
 (0)