Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2520667imm; Mon, 28 May 2018 09:38:44 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpMj5boTNKdDpJjpQgBLlLDVDXBMyc+Skxxsa7m6s9U1E7cjEmEdSQ3B4Y2kX4FtJSX7OE3 X-Received: by 2002:a17:902:8a95:: with SMTP id p21-v6mr14490814plo.325.1527525524008; Mon, 28 May 2018 09:38:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527525523; cv=none; d=google.com; s=arc-20160816; b=p5VW+FT3dDJc0lmOJ6I9XdzMx3FnwWj1INMmqV3atmQOeuVyks48LZkd88R4vJhm3u P8kXfCekeHUP6Voera98GmKO1GLQdyj5NZDQNb2azy3nJbf6LnHGyulWFXAS6xz6I1r2 lJ1NNSG6xCl//zNe32x6Ntg0f4JzSHhFq4ErnDfHLLzAl5Xu4gfHAk2++trQh+aY1E8F rJ7EAfA7X+GirTKpR+BYAInT0tsvYMoyuh4b5DI3SajlHjDxaxwwTJf9kMb1xUFAsySB egkTTS7i815bh3JOnWMSsMKWhF1x9NHp97S1b8g3xrtDneHPE6i6aoO/ap9rrLK3DGEl B5uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=tHx5bsBNO1t1Az6VYDJD8tFenTb2p2RiIQqYQB3Ue5M=; b=Kjv2oISJu/+P58XGImPOzqc5QB2cdZPftAXaMZKmSJV62hF4fnErGYNURqizKUbl+N WZvAFbrsNh5J6sTxRPKvgjTlivg32o3NuwsA20dDeJjpNQjogFtjOZ/IFYp9X4S8REyU 4FD8e7EdrTgFHoMP+XY/gAclBbDLdYVgROq+0BPKw8I5JJFA2EGqg2nDVXKnR//DyLUy WOsoS90IaksxNP4Rqd77kcxlQYYFvkMRhDoyRBp1c+G4XJCRTilbUmI4h2gJKhFOVWNx jcSqd4LPQLhAA0aTu/X6N/CqYXasmmooQVjAwAej1lLV3qa4c5gbx9JtfZtQ3dKYwWKj pelw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XCIgivfR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j131-v6si18018223pgc.606.2018.05.28.09.37.58; Mon, 28 May 2018 09:38:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XCIgivfR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934528AbeE1KIS (ORCPT + 99 others); Mon, 28 May 2018 06:08:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:56246 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934203AbeE1KIM (ORCPT ); Mon, 28 May 2018 06:08:12 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 33754206B7; Mon, 28 May 2018 10:08:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502091; bh=QWccdwosHoqfWyPm9RpTTvPLep4CdaTWGADy7STxYBM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XCIgivfRYpGwiMDY/n8qEx57zseJSnrukEyIJzsBqsenrudiB4pz4UUxn2/lLGbNH BzM9tQOfUbTZfofazf2ErFllkTO2Goy6RLEvDsc7QYVav8mGr57rpsniRQf3UItfgx CNw3TEccX/NcldH53EQPzUEgQiTasKLY1g7sfglU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kees Cook , "David S. Miller" , Sasha Levin Subject: [PATCH 3.18 058/185] NFC: llcp: Limit size of SDP URI Date: Mon, 28 May 2018 12:01:39 +0200 Message-Id: <20180528100055.789665989@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100050.700971285@linuxfoundation.org> References: <20180528100050.700971285@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kees Cook [ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ] The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce this both in the NLA policy and in the code that performs the allocation and copy, to avoid writing past the end of the allocated buffer. Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface") Signed-off-by: Kees Cook Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_commands.c | 4 ++++ net/nfc/netlink.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_ pr_debug("uri: %s, len: %zu\n", uri, uri_len); + /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ + if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) + return NULL; + sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); if (sdreq == NULL) return NULL; --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -60,7 +60,8 @@ static const struct nla_policy nfc_genl_ }; static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { - [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, + [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, + .len = U8_MAX - 4 }, [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, };