Return-path: Received: from mail-pf0-f193.google.com ([209.85.192.193]:35644 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756774AbdLTTvr (ORCPT ); Wed, 20 Dec 2017 14:51:47 -0500 Received: by mail-pf0-f193.google.com with SMTP id j124so12995487pfc.2 for ; Wed, 20 Dec 2017 11:51:47 -0800 (PST) From: Amit Pundir To: lkml , linux-wireless@vger.kernel.org Cc: Suren Baghdasaryan , Samuel Ortiz , Christophe Ricard , Andy Shevchenko , John Stultz , Dmitry Shmidt , Todd Kjos , Android Kernel Team Subject: [RFC][PATCH 4/4] NFC: fdp: Fix possible buffer overflow in WCS4000 NFC driver Date: Thu, 21 Dec 2017 01:21:24 +0530 Message-Id: <1513799484-12505-5-git-send-email-amit.pundir@linaro.org> (sfid-20171220_205200_438577_A90D9041) In-Reply-To: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org> References: <1513799484-12505-1-git-send-email-amit.pundir@linaro.org> Sender: linux-wireless-owner@vger.kernel.org List-ID: From: Suren Baghdasaryan Possible buffer overflow when reading next_read_size bytes into tmp buffer after next_read_size was extracted from a previous packet. Signed-off-by: Suren Baghdasaryan Signed-off-by: Amit Pundir --- drivers/nfc/fdp/i2c.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c index c4da50e07bbc..08a4f82a2965 100644 --- a/drivers/nfc/fdp/i2c.c +++ b/drivers/nfc/fdp/i2c.c @@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb) /* Packet that contains a length */ if (tmp[0] == 0 && tmp[1] == 0) { phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3; + /* + * Ensure next_read_size does not exceed sizeof(tmp) + * for reading that many bytes during next iteration + */ + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) { + dev_dbg(&client->dev, "%s: corrupted packet\n", + __func__); + phy->next_read_size = 5; + goto flush; + } } else { phy->next_read_size = FDP_NCI_I2C_MIN_PAYLOAD; -- 2.7.4