From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH 5.0 042/115] nfc: nci: Potential off by one in ->pipes[] array
Date: Wed, 24 Apr 2019 19:09:38 +0200 [thread overview]
Message-ID: <20190424170927.505476173@linuxfoundation.org> (raw)
In-Reply-To: <20190424170924.797924502@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 6491d698396fd5da4941980a35ca7c162a672016 ]
This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes")
where we changed NFC_HCI_MAX_PIPES from 127 to 128.
As the comment next to the define explains, the pipe identifier is 7
bits long. The highest possible pipe is 127, but the number of possible
pipes is 128. As the code is now, then there is potential for an
out of bounds array access:
net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one?
'ndev->hci_dev->pipes[pipe]' '0-127 == 127'
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/nfc/nci_core.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -166,7 +166,7 @@ struct nci_conn_info {
* According to specification 102 622 chapter 4.4 Pipes,
* the pipe identifier is 7 bits long.
*/
-#define NCI_HCI_MAX_PIPES 127
+#define NCI_HCI_MAX_PIPES 128
struct nci_hci_gate {
u8 gate;
next prev parent reply other threads:[~2019-04-24 17:43 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 003/115] net: atm: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 004/115] net: bridge: fix per-port af_packet sockets Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 005/115] net: bridge: multicast: use rcu to access port list from br_multicast_start_querier Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 006/115] net: fec: manage ahb clock in runtime pm Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 007/115] net: Fix missing meta data in skb with vlan packet Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 008/115] net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 009/115] tcp: tcp_grow_window() needs to respect tcp_space() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 010/115] team: set slave to promisc if team is already in promisc mode Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 011/115] tipc: missing entries in name table of publications Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 012/115] vhost: reject zero size iova range Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 013/115] ipv4: recompile ip options in ipv4_link_failure Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 014/115] ipv4: ensure rcu_read_lock() in ipv4_link_failure() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 015/115] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 016/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 017/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 018/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 019/115] mlxsw: spectrum_router: Do not check VRF MAC address Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 020/115] net: thunderx: raise XDP MTU to 1508 Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 021/115] net: thunderx: dont allow jumbo frames with XDP Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 022/115] net/tls: fix the IV leaks Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 023/115] net/tls: dont leak partially sent record in device mode Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 024/115] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 025/115] net/tls: fix build without CONFIG_TLS_DEVICE Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 026/115] net: bridge: fix netlink export of vlan_stats_per_port option Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 027/115] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 028/115] net/mlx5e: Protect against non-uplink representor for encap Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 029/115] net/mlx5e: Switch to Toeplitz RSS hash by default Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 030/115] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 031/115] net/mlx5e: Rx, Check ip headers sanity Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 032/115] Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets" Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 033/115] net/mlx5: FPGA, tls, hold rcu read lock a bit longer Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 034/115] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 036/115] route: Avoid crash from dereferencing NULL rt->from Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 037/115] nfp: flower: replace CFI with vlan present Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 038/115] nfp: flower: remove vlan CFI bit from push vlan action Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 039/115] sch_cake: Use tc_skb_protocol() helper for getting packet protocol Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 040/115] sch_cake: Make sure we can write the IP header before changing DSCP bits Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Greg Kroah-Hartman
2019-04-24 17:09 ` Greg Kroah-Hartman [this message]
2019-04-24 17:09 ` [PATCH 5.0 043/115] sch_cake: Simplify logic in cake_select_tin() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 044/115] CIFS: keep FileInfo handle live during oplock break Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 045/115] cifs: Fix lease buffer length error Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 046/115] cifs: Fix use-after-free in SMB2_write Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 047/115] cifs: Fix use-after-free in SMB2_read Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 048/115] cifs: fix handle leak in smb2_query_symlink() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 049/115] fs/dax: Deposit pagetable even when installing zero page Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 050/115] KVM: x86: Dont clear EFER during SMM transitions for 32-bit vCPU Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 051/115] KVM: x86: svm: make sure NMI is injected after nmi_singlestep Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 052/115] Staging: iio: meter: fixed typo Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 053/115] staging: iio: ad7192: Fix ad7193 channel address Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 054/115] iio: gyro: mpu3050: fix chip ID reading Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 055/115] iio/gyro/bmg160: Use millidegrees for temperature scale Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 056/115] iio:chemical:bme680: Fix, report temperature in millidegrees Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 057/115] iio:chemical:bme680: Fix SPI read interface Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 058/115] iio: cros_ec: Fix the maths for gyro scale calculation Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 059/115] iio: ad_sigma_delta: select channel when reading register Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 060/115] iio: dac: mcp4725: add missing powerdown bits in store eeprom Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 061/115] iio: Fix scan mask selection Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 062/115] iio: adc: at91: disable adc channel interrupt in timeout case Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 063/115] iio: core: fix a possible circular locking dependency Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 064/115] io: accel: kxcjk1013: restore the range after resume Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 065/115] staging: most: core: use device description as name Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 066/115] staging: comedi: vmk80xx: Fix use of uninitialized semaphore Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 067/115] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 068/115] staging: comedi: ni_usb6501: Fix use of uninitialized mutex Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 069/115] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 070/115] ALSA: hda/realtek - add two more pin configuration sets to quirk table Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 071/115] ALSA: core: Fix card races between register and disconnect Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 072/115] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 073/115] serial: sh-sci: Fix HSCIF RX sampling point adjustment Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 074/115] serial: sh-sci: Fix HSCIF RX sampling point calculation Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 075/115] vt: fix cursor when clearing the screen Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 076/115] scsi: core: set result when the command cannot be dispatched Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 077/115] Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 078/115] i3c: dw: Fix dw_i3c_master_disable controller by using correct mask Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 079/115] i3c: Fix the verification of random PID Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 080/115] Revert "svm: Fix AVIC incomplete IPI emulation" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 081/115] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 082/115] x86/kvm: move kvm_load/put_guest_xcr0 into atomic context Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 083/115] ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 084/115] crypto: x86/poly1305 - fix overflow during partial reduction Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 085/115] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 086/115] arm64: futex: Restore oldval initialization to work around buggy compilers Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 088/115] kprobes: Mark ftrace mcount handler functions nokprobe Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 089/115] x86/kprobes: Avoid kretprobe recursion bug Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 090/115] kprobes: Fix error check when reusing optimized probes Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 091/115] rt2x00: do not increment sequence number while re-transmitting Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 092/115] mac80211: do not call driver wake_tx_queue op during reconfig Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 093/115] s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD) Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 094/115] drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 095/115] perf/x86/amd: Add event map for AMD Family 17h Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 096/115] x86/cpu/bugs: Use __initconst for const init data Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 097/115] perf/x86: Fix incorrect PEBS_REGS Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 098/115] x86/speculation: Prevent deadlock on ssb_state::lock Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 099/115] timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze() Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 100/115] nfit/ars: Remove ars_start_flags Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 101/115] nfit/ars: Introduce scrub_flags Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 102/115] nfit/ars: Allow root to busy-poll the ARS state machine Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 103/115] nfit/ars: Avoid stale ARS results Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 104/115] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 105/115] tpm: Fix the type of the return value in calc_tpm2_event_size() Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 106/115] Revert "kbuild: use -Oz instead of -Os when using clang" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 107/115] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 108/115] tpm: fix an invalid condition in tpm_common_poll Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 109/115] mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 110/115] device_cgroup: fix RCU imbalance in error case Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 111/115] perf/ring_buffer: Fix AUX record suppression Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 112/115] mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 113/115] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 115/115] percpu: stop printing kernel addresses Greg Kroah-Hartman
2019-04-25 5:25 ` [PATCH 5.0 000/115] 5.0.10-stable review Naresh Kamboju
2019-04-25 7:18 ` Greg Kroah-Hartman
2019-04-25 11:56 ` Jon Hunter
2019-04-25 14:29 ` Greg Kroah-Hartman
2019-04-25 16:23 ` shuah
2019-04-25 17:08 ` Greg Kroah-Hartman
2019-04-25 19:39 ` Guenter Roeck
2019-04-27 6:49 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190424170927.505476173@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).