From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E0CAC10F11 for ; Wed, 24 Apr 2019 17:35:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E44172054F for ; Wed, 24 Apr 2019 17:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127313; bh=FQu9e4xh6AtdMPjsq3qBzhgmI3DlrWHtE9FOX/VPGtE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=tp6fCOo3wVkoQcdnby07LQSsTIpJAShSXTEg80O5ux7SKP1WXWM0JwSzF/xcum2L4 0G1+0a/uhqGL0iksl2YfNtbdhgaXLA3NnAtvmNASI539OXmQiUdPcmHJapsx04gcuq yL+HRrpJLGwZbcynhLjq5rBZyVHcH+mACZaIen3w= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391837AbfDXRfL (ORCPT ); Wed, 24 Apr 2019 13:35:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:33904 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391806AbfDXRfE (ORCPT ); Wed, 24 Apr 2019 13:35:04 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 21DD92054F; Wed, 24 Apr 2019 17:35:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127303; bh=FQu9e4xh6AtdMPjsq3qBzhgmI3DlrWHtE9FOX/VPGtE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sr1pEW7Htj2UDcW5HUAVtq96oCAuiMa3uGNSNiX7MAN7lkhySvaeo/4r7uu31dYrf wkdMWzlN2NmAXAanA8g4R5m+06q6rLCoxGW+JCk857SydKgZ8XaMRjZlmOR4ti7rLG QLv1JFaGpJiOcw48mOGAvmuKxVXj5HYGxh8X09jI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter Subject: [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Date: Wed, 24 Apr 2019 19:09:37 +0200 Message-Id: <20190424170927.445586466@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170924.797924502@linuxfoundation.org> References: <20190424170924.797924502@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ] This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory corruption when handling SHDLC I-Frame commands"). I'm not totally sure, but I think that commit description may have overstated the danger. I was under the impression that this data came from the firmware? If you can't trust your networking firmware, then you're already in trouble. Anyway, these days we add bounds checking where ever we can and we call it kernel hardening. Better safe than sorry. Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- net/nfc/nci/hci.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/net/nfc/nci/hci.c +++ b/net/nfc/nci/hci.c @@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct create_info = (struct nci_hci_create_pipe_resp *)skb->data; dest_gate = create_info->dest_gate; new_pipe = create_info->pipe; + if (new_pipe >= NCI_HCI_MAX_PIPES) { + status = NCI_HCI_ANY_E_NOK; + goto exit; + } /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id @@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct goto exit; } delete_info = (struct nci_hci_delete_pipe_noti *)skb->data; + if (delete_info->pipe >= NCI_HCI_MAX_PIPES) { + status = NCI_HCI_ANY_E_NOK; + goto exit; + } ndev->hci_dev->pipes[delete_info->pipe].gate = NCI_HCI_INVALID_GATE;