ANDROID: NFC: Fix possible memory corruption when handling SHDLC I-Frame commands

When handling SHDLC I-Frame commands "pipe" field used for indexing
into an array should be checked before usage. If left unchecked it
might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).

Bug: 62679701

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
Suren Baghdasaryan 2017-08-17 15:50:54 -07:00 committed by Amit Pundir
parent 74f0695ee1
commit 4818d4b11d

View file

@ -209,6 +209,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
}
create_info = (struct hci_create_pipe_resp *)skb->data;
if (create_info->pipe >= NFC_HCI_MAX_PIPES) {
status = NFC_HCI_ANY_E_NOK;
goto exit;
}
/* Save the new created pipe and bind with local gate,
* the description for skb->data[3] is destination gate id
* but since we received this cmd from host controller, we
@ -232,6 +237,11 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
}
delete_info = (struct hci_delete_pipe_noti *)skb->data;
if (delete_info->pipe >= NFC_HCI_MAX_PIPES) {
status = NFC_HCI_ANY_E_NOK;
goto exit;
}
hdev->pipes[delete_info->pipe].gate = NFC_HCI_INVALID_GATE;
hdev->pipes[delete_info->pipe].dest_host = NFC_HCI_INVALID_HOST;
break;