Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp452439pxj;
        Thu, 20 May 2021 13:16:47 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw4x59JymqogcSKx06Vk79MB6sUnOWZo/qk2OjfHqtN6GM3QGOG3T62YoMCJNdGqjDDk+qK
X-Received: by 2002:a05:6e02:1348:: with SMTP id k8mr7047423ilr.104.1621541807718;
        Thu, 20 May 2021 13:16:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621541807; cv=none;
        d=google.com; s=arc-20160816;
        b=m0lBMB3xOX4fxUeM0UOoRiSTRAOKX14cxk63IVGwbc7ciwuL7oLonfDrLqCsQfO6aX
         wFqNxF8RcAlniv7U3d7GjtjFHup6VakgHheAsfcqpTYX8n8Oix5A1+j22ucT025syhr/
         sjFK6P1OLq7SKWF6V9T3pAJn88t4JrZIDaMwlpveMxEUNXpHdZuILJ6kWwlHqJNCtFTJ
         s4roDvTMBD1o+9+RY6FBsyIkNZhybh7ZT5vhp4+p7m+SxWVXC8E+wXcmXTzDykhqC0Nm
         Z6lA7Q02SQTsUcjnMTe51SEUoiAAsl/RhOVM8mcsS+GtuO6+wv7TRZa0wI8q8G6VlRwT
         yMtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ENV6Nsbc0McIMANjXjP9Pxse/ivZ1xmljDphuKPdhkE=;
        b=YTXeq50JM93h+rZZmS4fXUOzSUUidckzLUkrm/ogZ8XY9Yh8J1/ZXbjBoep07Dat7S
         1Js4njzs/F/O0pmR3RaL76PYBw2MzWDWjnDddzOMXyQkzKlKV1TV1Ijiyj8Zz7l9S+x3
         l+II9qPQOt+cCNEdVdWd+KhzNUH2BrREH5hFqE3aXCIg+pzEoCv4VlMcKKOifB7RxkNU
         O8GA2fe8R3+7ibB8TtKyaFLLhVnFhEPJ+tTRZFJ3RjJE+mSCiprriMX7/trKp3AgYtMH
         0U3FpUyvZug0YSiiBi+M3t7HG2Dy/zgjdBnYgqew7sZwKGjsE+w+YAHPimFx7WJTg4Yu
         7JMQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yRbv1yZ+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w17si3236583ilo.155.2021.05.20.13.16.34;
        Thu, 20 May 2021 13:16:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=yRbv1yZ+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238098AbhETKsh (ORCPT <rfc822;loserzhuang@gmail.com>
        + 99 others); Thu, 20 May 2021 06:48:37 -0400
Received: from mail.kernel.org ([198.145.29.99]:33738 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S237139AbhETKcz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 May 2021 06:32:55 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0B6BD6157F;
        Thu, 20 May 2021 09:52:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1621504358;
        bh=Ftbh4+vjwPFv4ISN7ugPbUfxfHFr2jVbQz5VB6+/v5s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=yRbv1yZ+S4wl4xm+0D5zoTUNPrCke0NW0NKHsqs51paOPYwAjfK+0qkpv71C3wT1T
         50kbBtvpsttSrh6IH/CiutWST8VqEJeiklb/Yu9Yb9Qa1skG2pkavWKG+pdK/0I2Cj
         uGePHjul4BeNJWKGhMkvD7JWSZvRKZTvpI9A8gBQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 202/323] nfc: pn533: prevent potential memory corruption
Date:   Thu, 20 May 2021 11:21:34 +0200
Message-Id: <20210520092127.056205902@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210520092120.115153432@linuxfoundation.org>
References: <20210520092120.115153432@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ]

If the "type_a->nfcid_len" is too large then it would lead to memory
corruption in pn533_target_found_type_a() when we do:

	memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);

Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nfc/pn533/pn533.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index c05cb637ba92..e3026e20f169 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -692,6 +692,9 @@ static bool pn533_target_type_a_is_valid(struct pn533_target_type_a *type_a,
 	if (PN533_TYPE_A_SEL_CASCADE(type_a->sel_res) != 0)
 		return false;
 
+	if (type_a->nfcid_len > NFC_NFCID1_MAXSIZE)
+		return false;
+
 	return true;
 }
 
-- 
2.30.2