If gb_len is less than 3 it would cause an integer underflow and
possibly memory corruption in nfc_llcp_parse_gb_tlv().
I removed the old test for gb_len == 0. I also removed the test for
->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and
we have already dereferenced ->remote_gb_len so it's too late to test.
The old test return -ENODEV but my test returns -EINVAL.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 85bc75c..746f5a2 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -549,14 +549,13 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
pr_err("No LLCP device\n");
return -ENODEV;
}
+ if (gb_len < 3)
+ return -EINVAL;
memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
memcpy(local->remote_gb, gb, gb_len);
local->remote_gb_len = gb_len;
- if (local->remote_gb == NULL || local->remote_gb_len == 0)
- return -ENODEV;
-
if (memcmp(local->remote_gb, llcp_magic, 3)) {
pr_err("MAC does not support LLCP\n");
return -EINVAL;
Hi Dan,
On Thursday 31 of January 2013 10:16:46 Dan Carpenter wrote:
> If gb_len is less than 3 it would cause an integer underflow and
> possibly memory corruption in nfc_llcp_parse_gb_tlv().
>
> I removed the old test for gb_len == 0. I also removed the test for
> ->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and
> we have already dereferenced ->remote_gb_len so it's too late to test.
>
> The old test return -ENODEV but my test returns -EINVAL.
>
> Signed-off-by: Dan Carpenter <[email protected]>
>
> diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
> index 85bc75c..746f5a2 100644
> --- a/net/nfc/llcp/llcp.c
> +++ b/net/nfc/llcp/llcp.c
> @@ -549,14 +549,13 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
> pr_err("No LLCP device\n");
> return -ENODEV;
> }
> + if (gb_len < 3)
> + return -EINVAL;
Maybe define NFC_MIN_GT_LEN and test it together with NFC_MAX_GT_LEN in
nfc_set_remote_general_bytes() ?
>
> memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
> memcpy(local->remote_gb, gb, gb_len);
> local->remote_gb_len = gb_len;
>
> - if (local->remote_gb == NULL || local->remote_gb_len == 0)
> - return -ENODEV;
> -
> if (memcmp(local->remote_gb, llcp_magic, 3)) {
> pr_err("MAC does not support LLCP\n");
> return -EINVAL;
--
BR
Szymon Janc
Szymon Janc suggested I should move the lower bound check into the
caller and make it match the check for NFC_MAX_GT_LEN.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
index 87a6417..e50dd2c 100644
--- a/include/net/nfc/nfc.h
+++ b/include/net/nfc/nfc.h
@@ -74,6 +74,7 @@ struct nfc_ops {
#define NFC_TARGET_IDX_ANY -1
#define NFC_MAX_GT_LEN 48
+#define NFC_MIN_GT_LEN 3
#define NFC_ATR_RES_GT_OFFSET 15
struct nfc_target {
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 6ceee8e..e2c3b6e 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -450,7 +450,7 @@ int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len)
{
pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len);
- if (gb_len > NFC_MAX_GT_LEN)
+ if (gb_len < NFC_MIN_GT_LEN || gb_len > NFC_MAX_GT_LEN)
return -EINVAL;
return nfc_llcp_set_remote_gb(dev, gb, gb_len);
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 7f8266d..7be27fb 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -547,8 +547,6 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
pr_err("No LLCP device\n");
return -ENODEV;
}
- if (gb_len < 3)
- return -EINVAL;
memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
memcpy(local->remote_gb, gb, gb_len);