ANDROID: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
When handling SHDLC I-Frame commands "pipe" field used for indexing into an array should be checked before usage. If left unchecked it might access memory outside of the array of size NFC_HCI_MAX_PIPES(127). Bug: 62679701 Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
parent
74f0695ee1
commit
4818d4b11d
1 changed files with 10 additions and 0 deletions
|
@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
|
|||
}
|
||||
create_info = (struct hci_create_pipe_resp *)skb->data;
|
||||
|
||||
if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
|
||||
status = NFC_HCI_ANY_E_NOK;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Save the new created pipe and bind with local gate,
|
||||
* the description for skb->data[3] is destination gate id
|
||||
* but since we received this cmd from host controller, we
|
||||
|
@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
|
|||
}
|
||||
delete_info = (struct hci_delete_pipe_noti *)skb->data;
|
||||
|
||||
if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
|
||||
status = NFC_HCI_ANY_E_NOK;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
|
||||
hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue