* [PATCH] NFC: pn533: potential buffer overflow in pn533_target_found_type_a()
@ 2019-03-28 14:40 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2019-03-28 14:40 UTC (permalink / raw)
To: Samuel Ortiz; +Cc: linux-wireless, kernel-janitors
Smatch doesn't trust information that comes from skb->data. It
complains that "nfc_tgt->nfcid1_len" is a u8 so it could be up to 255
bytes, but the destination buffer is only 10 bytes large.
Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/nfc/pn533/pn533.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index a0cc1cc45292..9f9bbf912687 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -724,6 +724,8 @@ static int pn533_target_found_type_a(struct nfc_target *nfc_tgt, u8 *tgt_data,
nfc_tgt->sens_res = be16_to_cpu(tgt_type_a->sens_res);
nfc_tgt->sel_res = tgt_type_a->sel_res;
nfc_tgt->nfcid1_len = tgt_type_a->nfcid_len;
+ if (nfc_tgt->nfcid1_len > sizeof(nfc_tgt->nfcid1))
+ return -EINVAL;
memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
return 0;
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH] NFC: pn533: potential buffer overflow in pn533_target_found_type_a()
@ 2019-03-28 14:40 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2019-03-28 14:40 UTC (permalink / raw)
To: Samuel Ortiz; +Cc: linux-wireless, kernel-janitors
Smatch doesn't trust information that comes from skb->data. It
complains that "nfc_tgt->nfcid1_len" is a u8 so it could be up to 255
bytes, but the destination buffer is only 10 bytes large.
Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/nfc/pn533/pn533.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index a0cc1cc45292..9f9bbf912687 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -724,6 +724,8 @@ static int pn533_target_found_type_a(struct nfc_target *nfc_tgt, u8 *tgt_data,
nfc_tgt->sens_res = be16_to_cpu(tgt_type_a->sens_res);
nfc_tgt->sel_res = tgt_type_a->sel_res;
nfc_tgt->nfcid1_len = tgt_type_a->nfcid_len;
+ if (nfc_tgt->nfcid1_len > sizeof(nfc_tgt->nfcid1))
+ return -EINVAL;
memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
return 0;
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-03-28 14:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-28 14:40 [PATCH] NFC: pn533: potential buffer overflow in pn533_target_found_type_a() Dan Carpenter
2019-03-28 14:40 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.