* [PATCH net] net: nfc: fix bounds checking bugs on "pipe"
@ 2020-03-04 14:24 Dan Carpenter
2020-03-06 5:33 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2020-03-04 14:24 UTC (permalink / raw)
To: David S. Miller, Christophe Ricard
Cc: Jakub Kicinski, Greg Kroah-Hartman, Kate Stewart, Allison Randal,
netdev, Suren Baghdasaryan, kernel-janitors
This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0
("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
added range checks on "pipe".
The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
It's in the 0-255 range. We're using it as the array index into the
hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/nfc/hci/core.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index 6f1b096e601c..43811b5219b5 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -181,13 +181,20 @@ void nfc_hci_resp_received(struct nfc_hci_dev *hdev, u8 result,
void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
struct sk_buff *skb)
{
- u8 gate = hdev->pipes[pipe].gate;
u8 status = NFC_HCI_ANY_OK;
struct hci_create_pipe_resp *create_info;
struct hci_delete_pipe_noti *delete_info;
struct hci_all_pipe_cleared_noti *cleared_info;
+ u8 gate;
- pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
+ pr_debug("from pipe %x cmd %x\n", pipe, cmd);
+
+ if (pipe >= NFC_HCI_MAX_PIPES) {
+ status = NFC_HCI_ANY_E_NOK;
+ goto exit;
+ }
+
+ gate = hdev->pipes[pipe].gate;
switch (cmd) {
case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
@@ -375,8 +382,14 @@ void nfc_hci_event_received(struct nfc_hci_dev *hdev, u8 pipe, u8 event,
struct sk_buff *skb)
{
int r = 0;
- u8 gate = hdev->pipes[pipe].gate;
+ u8 gate;
+
+ if (pipe >= NFC_HCI_MAX_PIPES) {
+ pr_err("Discarded event %x to invalid pipe %x\n", event, pipe);
+ goto exit;
+ }
+ gate = hdev->pipes[pipe].gate;
if (gate == NFC_HCI_INVALID_GATE) {
pr_err("Discarded event %x to unopened pipe %x\n", event, pipe);
goto exit;
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] net: nfc: fix bounds checking bugs on "pipe"
2020-03-04 14:24 [PATCH net] net: nfc: fix bounds checking bugs on "pipe" Dan Carpenter
@ 2020-03-06 5:33 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2020-03-06 5:33 UTC (permalink / raw)
To: dan.carpenter
Cc: christophe.ricard, kuba, gregkh, kstewart, allison, netdev,
surenb, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 4 Mar 2020 17:24:31 +0300
> This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
> corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0
> ("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
> added range checks on "pipe".
>
> The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
> It's in the 0-255 range. We're using it as the array index into the
> hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
>
> Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied and queued up for -stable, thanks Dan.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-03-06 5:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-04 14:24 [PATCH net] net: nfc: fix bounds checking bugs on "pipe" Dan Carpenter
2020-03-06 5:33 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).