Received: by 10.192.165.156 with SMTP id m28csp2186101imm; Thu, 12 Apr 2018 09:59:05 -0700 (PDT) X-Google-Smtp-Source: AIpwx48GPq0bPar2HSPQy3YGFTsbW5WycHTfpucWNdCLe/noG2FrlY2Jb6Yv+MNiUho6aUha0Dxk X-Received: by 10.99.140.77 with SMTP id q13mr1316350pgn.44.1523552345296; Thu, 12 Apr 2018 09:59:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523552345; cv=none; d=google.com; s=arc-20160816; b=ixvt6EikVOTVjFCvLh0P1BrnJyMMvbvsi4NHk0xzmyW9InveqYOOqq7TmMn2+1zbUv LgSLpCs+0YyCxWNdG79cs5wzQKsrL1Oqb/Z3eEd0xj1qzLieQyy4mvxagIZ5pQX8/3zL v0eRBYuId4EVxRJYjIQ9mUPbLUZN53ch+Hf+6jhRrCaIfv7YYaxvqNG95okpGp9XnB+U uBvsNgMYBLj1t9fOTZ23hWRFWIfXEQcfcJ5A+bOGXpb0bejdiswRLsn4dAXiruSjSAf7 TpEJ89l2ZBZhC+OhX5sGlRIwp72UzDRyfVn9KNwxA2BSg14V2FkS6RvMDge+ddrJ+SlW U4Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=jLDJ4cUgMktDcIpJZ2dBIGEeWSUC7rDUv9h+eg6kmiU=; b=FeKbdrKsbHwHGPvwM8QdL0swzIGaYUfzszRRJiKUKDh/5vLzWQ4O4lANShVVrCg5SW SJYFgwH9DCw5iIzUVxqmnW2fFExH0KYe3Cj6/9y4STndOS/E/SdSL0aQQ0E3ZsYLd3kG /MmOdaaFKORVLUlhphGZwL/MN1QU++OLWM8kkBjbR2lnFSzhyZzZcuyyw9LTGXVNJMFo MP7QB+D7GdGoQsg0GYvRivpS5PGqLZxXSPzYb3AtG9fHQx7QTID/USmPoeYO0VNLFydh Q35seyqJT51u7MMoc8w9BJL4f4/QwhZA7FGQxFKfsgoXo+dQszYJk4VuUAc0o3t+Eiu9 kE4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=c4IES+Pv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si3679767plv.217.2018.04.12.09.58.44; Thu, 12 Apr 2018 09:59:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=c4IES+Pv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753111AbeDLQ5E (ORCPT + 99 others); Thu, 12 Apr 2018 12:57:04 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:52737 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752802AbeDLQ5B (ORCPT ); Thu, 12 Apr 2018 12:57:01 -0400 Received: by mail-wm0-f68.google.com with SMTP id g8so13043146wmd.2 for ; Thu, 12 Apr 2018 09:57:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=jLDJ4cUgMktDcIpJZ2dBIGEeWSUC7rDUv9h+eg6kmiU=; b=c4IES+PvZacZMuRSh0rOaT4tohUMbB+Aidj4NlsdQl2dt/BxdBejlSGa2yLgJpsG1U 5UpJd4YSRFwzfcL8lAxHDxM0chlnJecVcZf/UCDVNVrvwxdEFAje2TzxX8IYS/L84zwF D2uFEhuiu+etiJOz/+6c8k4CUSDv5D49ai/A01PbekX2uod2pnE6BOZ24V1Qy7II7Kt5 PyZGB1tTarwCMOKRr4rDvLFUHXRdnUGpR+6LlbqZ4aixV5ZrXOeCqC7tnc7bcdDxYdAR H8iPr//pZFHj8//A6Gyqlrhk4fZmjqV4DDd7m9O8PTL4LTMF3bjJi2S4FNofdkw0kP3+ Fibg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=jLDJ4cUgMktDcIpJZ2dBIGEeWSUC7rDUv9h+eg6kmiU=; b=iay++UtEuLXpGv2LfRj3l2xKhvy5aG/8ss7d95VQaK/zlNWeQlD45on+oHdDTFs6x4 Ob6sRF+AJFUydD6fOCVARhLrNPgGWj5n3AbYiKv+o5RYjKKDoZyiddB+71sBn3eoxqsi l6cm7NeefYFM7u9kYGUEiDnBq5zxkqCKFMsAf/jlot1TKZFGd9T3DX27BJ1p78ChWpDC NCYgBf1YZVn/Q5vmW0fyEKwYp0SmWNdyteMqGgMMxl4S8FBQrOQ+DBmJBm129vfBFjo/ S76xkyMXIeXPr8ZO8CV3MEuxcdFgMi/o4WDNhqFHcttMKxuL3a0jCkE3UREG7m8hvkpr rjYg== X-Gm-Message-State: ALQs6tAffmV/DrLAC1L3dpn5pYxWxSlss/DmzxFUkjN77FWkXmiWdYpq CbXc2yAI5K+3Y5oKGYQX5YQrxw== X-Received: by 10.28.197.205 with SMTP id v196mr1380782wmf.39.1523552219946; Thu, 12 Apr 2018 09:56:59 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([2a00:79e0:15:10:84be:a42a:826d:c530]) by smtp.gmail.com with ESMTPSA id q127sm3902523wmd.3.2018.04.12.09.56.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Apr 2018 09:56:59 -0700 (PDT) From: Andrey Konovalov To: Samuel Ortiz , "David S . Miller" , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov , Kostya Serebryany , Andrey Konovalov Subject: [PATCH] NFC: fix attrs checks in netlink interface Date: Thu, 12 Apr 2018 18:56:56 +0200 Message-Id: <75ce3040b4086ffa2d2e088ad7f24f5e4a87be56.1523552145.git.andreyknvl@google.com> X-Mailer: git-send-email 2.17.0.484.g0c8726318c-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX attribute being present, but doesn't check whether it is actually provided by the user. Same goes for nfc_genl_fw_download() and NFC_ATTR_FIRMWARE_NAME. This patch adds appropriate checks. Found with syzkaller. Signed-off-by: Andrey Konovalov --- net/nfc/netlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c index f018eafc2a0d..58adfb0c90f6 100644 --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -936,7 +936,8 @@ static int nfc_genl_deactivate_target(struct sk_buff *skb, u32 device_idx, target_idx; int rc; - if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) + if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || + !info->attrs[NFC_ATTR_TARGET_INDEX]) return -EINVAL; device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); @@ -1245,7 +1246,8 @@ static int nfc_genl_fw_download(struct sk_buff *skb, struct genl_info *info) u32 idx; char firmware_name[NFC_FIRMWARE_NAME_MAXSIZE + 1]; - if (!info->attrs[NFC_ATTR_DEVICE_INDEX]) + if (!info->attrs[NFC_ATTR_DEVICE_INDEX] || + !info->attrs[NFC_ATTR_FIRMWARE_NAME]) return -EINVAL; idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]); -- 2.17.0.484.g0c8726318c-goog