Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp859263yba; Wed, 24 Apr 2019 10:45:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqwpR6KqJb7GLCC6HP2VLX2P+rXQbrX7K2zfOSLGVLL9yP4VIweIwfcs3lrU1obf1vAl1dIh X-Received: by 2002:a17:902:7085:: with SMTP id z5mr23942403plk.78.1556127927739; Wed, 24 Apr 2019 10:45:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556127927; cv=none; d=google.com; s=arc-20160816; b=xeiGzRB74eImqYaO0MDNM1/yBPQizcHjYoGoWnFRDvWdVOOFns5GtSCcyNlIoDQfTc /s5AJzQNYTqLY28Paj0nd2o/g7EDRvxOCQK7uHpEI+ioQ1dDcdioT+JIYloRj2I7AI2G IEOIdKDvTtECmEAwyA0uGHJ0ePJEibLxH0mcYPJ3Wazgv9+a7bMNshuk3UfT3c0c3l1J LCe7UoHUja1LO27ep4cD3YJ0EFhBOS73Gt6AriVc3mg+1/i7Y+OidO2qGJWnYS5zJJUW iM7yxmHxUTKI993t0rQ0mpUFr54gpvBbEbkVd66RaandBy9Wb2DPx1oVSSvKMkRonexI YK7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VPLN+EiZjTJGSaTE3Dt+ytcZnHYqVDijfLAk5B/znTI=; b=I+VkzYokQMF7J6V6jjU87Uoc8cUGs96fUcKR/aoqQuHMoDKPmPBfLhL36+dAUWLppr P2IK1oFsgkv+Ekpe9ye1EbT9IVxyEj90b/BdDzz3qHj47ZKFr69BJB2xxHyi4XuL1GIy tmT1txXyH9LQYfTcNCofPl5nOT6wQrHVa1PFACdTFr53DCWeavvOZgILaaWPJkY57ehi SfRX6u0APOvNSJaYiXorB8A4adHudMho1QDf/IuLzyVak+twKlxC+eLXDJj0SmnDWDyq zlXOUvETva0jozm1ozPHPHDavP6FGTtsB+oWs5YiiFFUxfuUhcmcWxzr/kgR/bZHW0MO pZmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Sr1pEW7H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d6si18947421pls.402.2019.04.24.10.45.12; Wed, 24 Apr 2019 10:45:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Sr1pEW7H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390048AbfDXRfK (ORCPT + 99 others); Wed, 24 Apr 2019 13:35:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:33904 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391806AbfDXRfE (ORCPT ); Wed, 24 Apr 2019 13:35:04 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 21DD92054F; Wed, 24 Apr 2019 17:35:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127303; bh=FQu9e4xh6AtdMPjsq3qBzhgmI3DlrWHtE9FOX/VPGtE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Sr1pEW7Htj2UDcW5HUAVtq96oCAuiMa3uGNSNiX7MAN7lkhySvaeo/4r7uu31dYrf wkdMWzlN2NmAXAanA8g4R5m+06q6rLCoxGW+JCk857SydKgZ8XaMRjZlmOR4ti7rLG QLv1JFaGpJiOcw48mOGAvmuKxVXj5HYGxh8X09jI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter Subject: [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Date: Wed, 24 Apr 2019 19:09:37 +0200 Message-Id: <20190424170927.445586466@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170924.797924502@linuxfoundation.org> References: <20190424170924.797924502@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ] This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory corruption when handling SHDLC I-Frame commands"). I'm not totally sure, but I think that commit description may have overstated the danger. I was under the impression that this data came from the firmware? If you can't trust your networking firmware, then you're already in trouble. Anyway, these days we add bounds checking where ever we can and we call it kernel hardening. Better safe than sorry. Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- net/nfc/nci/hci.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/net/nfc/nci/hci.c +++ b/net/nfc/nci/hci.c @@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct create_info = (struct nci_hci_create_pipe_resp *)skb->data; dest_gate = create_info->dest_gate; new_pipe = create_info->pipe; + if (new_pipe >= NCI_HCI_MAX_PIPES) { + status = NCI_HCI_ANY_E_NOK; + goto exit; + } /* Save the new created pipe and bind with local gate, * the description for skb->data[3] is destination gate id @@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct goto exit; } delete_info = (struct nci_hci_delete_pipe_noti *)skb->data; + if (delete_info->pipe >= NCI_HCI_MAX_PIPES) { + status = NCI_HCI_ANY_E_NOK; + goto exit; + } ndev->hci_dev->pipes[delete_info->pipe].gate = NCI_HCI_INVALID_GATE;