Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2358588imm; Mon, 28 May 2018 06:40:52 -0700 (PDT) X-Google-Smtp-Source: AB8JxZppaKtKWuCJ1BT1HvQvTrZAx2gXoxKOhDamvGQmWbtgAXRAVPutMsKRTRW5w+nzPOCVFute X-Received: by 2002:a65:48c9:: with SMTP id o9-v6mr10867911pgs.106.1527514852675; Mon, 28 May 2018 06:40:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527514852; cv=none; d=google.com; s=arc-20160816; b=yDNKIFl/jZYN1+5JFiZd+75jXJeImtgMntwL7oQ2foaCcVyfUVbQYKtJPDNlZBG1ZF rOvnb05OKCgotLOsjeXQDTccrCuSaRVZ0f0o1mcyQAUK1QJn6/F1eFoGak3Gc/B7Eshn /sON6QGYYzjaGJt0uLobEosbQLbPyPnr01HijBkW8YkdMJp2bCwmNygWhymvD+C3Px3t t5Q0tnrrzl9fWsrOdMN8BZklGqFYVuot3Jz4+Vpl6rAnN0L1lLkaYTQAVA4ygcl1tti2 GE423IV9MBB6HebG1qlCY1pxIpgdM/ka2aFwtUg7JrUNALRl4YmNPLFmoZXR8IB0vds9 7Z9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=3PCNCnsMKYnPMdmB0A0BuRmlzQzHuHsP0PFSqOL97Jw=; b=W6MTWRUS1TcE2vmdAsPB2ZH2vurrOqjMNaL6pmDZ116Jj7EfD5fq086teBeNj9Q43S uk/vi8RIr6CAkegqW3QyMFveVo7QioOBoABr91k+ZR224AT7YMcZTgBdHY7wX8LUpRai 36k7s0qcswM8JTDZqczvvUchT/kPqBf7cwGzi6nCrtVtXysZ4IdqDv4dFZaGSkpevKvd hdLf/JZR0uDy9P0WT7gza3I4Vnnj/q5df/v1P9+u24ZnKDLQbICO2NJU5nsW3Yq0iIaB bZrB6p5GP+Ueyp1lsg6lvC5GQl4l5aC4unPnUjeku8PhOOo39ZoAVWHrp+v5kDqzXU5v t21w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hNQC6SBi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a21-v6si5806860pls.237.2018.05.28.06.40.38; Mon, 28 May 2018 06:40:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hNQC6SBi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1163095AbeE1Ko4 (ORCPT + 99 others); Mon, 28 May 2018 06:44:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:35514 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1163069AbeE1Kov (ORCPT ); Mon, 28 May 2018 06:44:51 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ADFBE20660; Mon, 28 May 2018 10:44:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527504291; bh=ggsD4tWMZWM2l1NpiJmNpyA3zebv4F3xns9QtKz8EqM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hNQC6SBi0dN7OXiNntm/YP/q4q5owuDvct6c2o0CztxcDZCqx0Ks/XnVloWg5OUCM yp+pZQrlZqZR0R8JV+A+ecxjeWwiQvdh3GB1UhB5DspE7O8z4rIacUHGQHVPt9V5vd zvBOlXpFW+mcD9u2xkQu3VA5aE4bygmfguPtO/So= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 085/496] NFC: llcp: Limit size of SDP URI Date: Mon, 28 May 2018 11:57:50 +0200 Message-Id: <20180528100323.382539330@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ] The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce this both in the NLA policy and in the code that performs the allocation and copy, to avoid writing past the end of the allocated buffer. Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface") Signed-off-by: Kees Cook Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_commands.c | 4 ++++ net/nfc/netlink.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_ pr_debug("uri: %s, len: %zu\n", uri, uri_len); + /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ + if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) + return NULL; + sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); if (sdreq == NULL) return NULL; --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -61,7 +61,8 @@ static const struct nla_policy nfc_genl_ }; static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { - [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, + [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, + .len = U8_MAX - 4 }, [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, };