Received: by 10.192.165.148 with SMTP id m20csp1660248imm;
        Thu, 3 May 2018 03:21:17 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpMFtGvgqYV1REaxXKYt/Cdl+M4Ew/Lx0BbmHA0Edx1I8EQG20DQ5t+3WemkAqCtX7dlMyB
X-Received: by 2002:a63:18c:: with SMTP id 134-v6mr5040540pgb.138.1525342877471;
        Thu, 03 May 2018 03:21:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525342877; cv=none;
        d=google.com; s=arc-20160816;
        b=cRxlo0D9U2UIFD+JYAvVD0N8C7AjPf+n0geiLr7hu4f9tCj1wreBGKBLd9RH+EnnJi
         QkQ1wJiYX5a5Pzz4LqA93+d4h9O1yPiHsMyHXmq8dPxuAGWDOXPDvoSRQ8FezN111chF
         pN0+q6DBFlUrIRCOCtavSt28QDZ72nAUcjzKOLdBIRpAWhQ72d8DYHcFW4q1xxLvRX1M
         qKgYbUinMf8VZ4+c2OyVJQaDlQZ+yH2LycpbWwab5nPKX9SJ9fBkFSDH5/E9ZmgU05cX
         zzSnDl3Ud8k9AoB/IDF4x9Ri11FDNtCzl1EsHDrbrVT6TdKNXhXfGvpsagX/XUqA497i
         ZfLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:date:cc:to:from:subject
         :message-id:arc-authentication-results;
        bh=9IlzHr4URac3CmcFeJuNQK8NOHaKE6Z/CPPx4bs06Ko=;
        b=WfNXTBSFacY6MDmwVvrUC1wtJz7aEvzczAEXS7Qtw51tu1YrnsdkV3+AglFZoPfmeX
         ITSve9J2MqqyhDd5tvSwSK1S00dmiITuLeSWvNoinE/8dex/hY28VvSTwF16A8gcesQy
         giaXGLFL85opakeqWQeQmlHVXTo9huWiiTVsbO4fAJ9fzokdq94bxB/W9yUmjXNqt7No
         w0JLxWw7lJ2UjhfdI9SFn8XKD/a+tIK/XSG+4kjdjm9xv4ZeZ9PRiSyvJ00gX9igTJPS
         jNPYNYgjnh+Bdsc0mmA1xrV78v5nfdzEhua0L6QMm4daQUeW4y32MLINfqaqinBfnX4G
         dfpQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p83si13609951pfl.279.2018.05.03.03.21.03;
        Thu, 03 May 2018 03:21:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752406AbeECKUx (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Thu, 3 May 2018 06:20:53 -0400
Received: from mga18.intel.com ([134.134.136.126]:57937 "EHLO mga18.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751701AbeECKUs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 06:20:48 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 May 2018 03:20:48 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,358,1520924400"; 
   d="scan'208";a="55642398"
Received: from smile.fi.intel.com (HELO smile) ([10.237.72.86])
  by orsmga002.jf.intel.com with ESMTP; 03 May 2018 03:20:44 -0700
Message-ID: <1525342843.21176.635.camel@linux.intel.com>
Subject: Re: [PATCH v2 3/3] NFC: fdp: Fix possible buffer overflow in
 WCS4000 NFC driver
From:   Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To:     Amit Pundir <amit.pundir@linaro.org>,
        lkml <linux-kernel@vger.kernel.org>,
        linux-wireless@vger.kernel.org
Cc:     Suren Baghdasaryan <surenb@google.com>,
        Samuel Ortiz <sameo@linux.intel.com>,
        Christophe Ricard <christophe.ricard@gmail.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        John Stultz <john.stultz@linaro.org>,
        Dmitry Shmidt <dimitrysh@google.com>,
        Todd Kjos <tkjos@google.com>,
        Android Kernel Team <kernel-team@android.com>
Date:   Thu, 03 May 2018 13:20:43 +0300
In-Reply-To: <1525283288-7027-4-git-send-email-amit.pundir@linaro.org>
References: <1525283288-7027-1-git-send-email-amit.pundir@linaro.org>
         <1525283288-7027-4-git-send-email-amit.pundir@linaro.org>
Organization: Intel Finland Oy
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.5-1+b1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-05-02 at 23:18 +0530, Amit Pundir wrote:
> From: Suren Baghdasaryan <surenb@google.com>
> 
> Possible buffer overflow when reading next_read_size bytes into
> tmp buffer after next_read_size was extracted from a previous packet.
> 
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
> ---
> v2:
> Remove redundant __func__ from dev_dgb().
> 
>  drivers/nfc/fdp/i2c.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
> index c4da50e..b80d1ad 100644
> --- a/drivers/nfc/fdp/i2c.c
> +++ b/drivers/nfc/fdp/i2c.c
> @@ -176,6 +176,15 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy
> *phy, struct sk_buff **skb)
>  		/* Packet that contains a length */
>  		if (tmp[0] == 0 && tmp[1] == 0) {
>  			phy->next_read_size = (tmp[2] << 8) + tmp[3]
> + 3;
> +			/*
> +			 * Ensure next_read_size does not exceed
> sizeof(tmp)
> +			 * for reading that many bytes during next
> iteration
> +			 */
> +			if (phy->next_read_size >
> FDP_NCI_I2C_MAX_PAYLOAD) {
> +				dev_dbg(&client->dev, "corrupted
> packet\n");

> +				phy->next_read_size = 5;

Shouldn't be this magic replaced by

	phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD;

? 

> +				goto flush;
> +			}
>  		} else {
>  			phy->next_read_size =
> FDP_NCI_I2C_MIN_PAYLOAD;
>  

-- 
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Intel Finland Oy