Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

ANDROID: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands

Browse source 
When handling SHDLC I-Frame commands "pipe" field used for indexing
into an array should be checked before usage. If left unchecked it
might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).

Bug: 62679701

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
Suren Baghdasaryan 2017-08-17 15:50:54 -07:00 committed by Amit Pundir
parent 74f0695ee1
commit 4818d4b11d
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net/nfc/hci/core.c
View file

@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
} }
create_info = (struct hci_create_pipe_resp *)skb->data; create_info = (struct hci_create_pipe_resp *)skb->data;
if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
status = NFC_HCI_ANY_E_NOK;
goto exit;
}
/* Save the new created pipe and bind with local gate, /* Save the new created pipe and bind with local gate,
* the description for skb->data[3] is destination gate id * the description for skb->data[3] is destination gate id
* but since we received this cmd from host controller, we * but since we received this cmd from host controller, we
@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
} }
delete_info = (struct hci_delete_pipe_noti *)skb->data; delete_info = (struct hci_delete_pipe_noti *)skb->data;
if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
status = NFC_HCI_ANY_E_NOK;
goto exit;
}
hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE; hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST; hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
break; break;