Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2468880imm; Mon, 28 May 2018 08:39:41 -0700 (PDT) X-Google-Smtp-Source: AB8JxZop26Sjzei5X8Ha8e38Nq3pxTDD6lpHOEgPoIlDC0uX7tfjQNKHEGObt3+bv6l6VoVhpFnm X-Received: by 2002:a63:b506:: with SMTP id y6-v6mr11184303pge.213.1527521981146; Mon, 28 May 2018 08:39:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527521981; cv=none; d=google.com; s=arc-20160816; b=j8NoX2mt7a7PiW7rPOn/mguZ0ijDNbfidLdcwPl43SQAVgtvbCQy6UbOvLRWmXSPeU AEoNtgA97xUSo9FIEWyPRZNP4PSoXpGiynbVcmxrbpoZPY7QKvBFxCLuC5HCwMcFKxX5 xjOfGCnHeYbwadYc8cHKmSjtEY5Ie5gLnvyMwYF59vY3kwby4W08kFqHAAxuz7OIRmjJ qTSe4NDEkvAi5Gal7sAMRwKZbjnycE4tIRSh2eC4UiLic5QiOl3mfykBCV1Db+bQDLFe LEqxLmoXF7SxtMMJjQLHpNQHN/7mEGVMATkh6o5iZdItZWeSa8bOVQE1jtexxlM/lxr1 4W/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=3ecOoLWhAJd1Gt0gzUdvuTELfdnpKUJSF7UMmV3bR1w=; b=Ftsm6XfKo086rkDKollyygALpR9abruKmRoXfX0zcNmsGXVICFJgyzwAu/HT4gYvyR 0kVeZ2d0Yd4ymy7YXSzHLddn7HRw17M8oKMNN5wwJla8qzGklGyHM4WRcrnL+4aAJ06r Z7FWznK8Wq63SKu9gFr4XxBOOkqf7ZxrICi2p9jiOGPFcU6q5lUBPozdSIy8RVQq86+H sQSoYDUgG2+2BOD+ZhpTy4zjb8jSKKJ7CQNVx+HBAC3xEg2mBsYAQ8ZO8U3IqXu7iuJ8 W5a6eY8AIIud0+ud1LVReiqBOC+prkYe6yBN+EIMp/AO+tZqwsD4XzW0YlidDEvwGArP Aiqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IwHzqaDg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w3-v6si1189010plb.271.2018.05.28.08.39.26; Mon, 28 May 2018 08:39:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IwHzqaDg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031642AbeE1KSJ (ORCPT + 99 others); Mon, 28 May 2018 06:18:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:38046 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031040AbeE1KRy (ORCPT ); Mon, 28 May 2018 06:17:54 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 35F1E208B2; Mon, 28 May 2018 10:17:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502673; bh=/HaGXC1ovRdCrqs21ODwKWE23CubsKS0TOGy1k3lv2M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IwHzqaDg3QVEUdxPjZVaSuVIBf+wjt9asNRUXz2HZPOiey+ijw+Fo2wSkQUva8QhS tuCbFNb10HabXOxdZZ1HJGQcjwW1X22cqBe5DgXp9T0rg9tJQ2ChCwNbIosCygUjm6 KqcjKO2mUFkuYEbFQ6zNbUsix3nlaNlbl8jTdh94= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , "David S. Miller" , Sasha Levin Subject: [PATCH 4.4 088/268] NFC: llcp: Limit size of SDP URI Date: Mon, 28 May 2018 12:01:02 +0200 Message-Id: <20180528100212.166588456@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100202.045206534@linuxfoundation.org> References: <20180528100202.045206534@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ] The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce this both in the NLA policy and in the code that performs the allocation and copy, to avoid writing past the end of the allocated buffer. Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface") Signed-off-by: Kees Cook Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_commands.c | 4 ++++ net/nfc/netlink.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_ pr_debug("uri: %s, len: %zu\n", uri, uri_len); + /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ + if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) + return NULL; + sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); if (sdreq == NULL) return NULL; --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -68,7 +68,8 @@ static const struct nla_policy nfc_genl_ }; static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { - [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, + [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, + .len = U8_MAX - 4 }, [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, };