summaryrefslogtreecommitdiffstats
path: root/Documentation/target
diff options
context:
space:
mode:
authorMartin Faltesek <mfaltesek@google.com>2022-11-22 01:42:46 +0100
committerJakub Kicinski <kuba@kernel.org>2022-11-24 05:01:50 +0100
commit0254f31a7df3bb3b90c2d9dd2d4052f7b95eb287 (patch)
tree56d4e2b9bacf193d1bb59b9784c732ca78b781ad /Documentation/target
parentnfc: st-nci: fix memory leaks in EVT_TRANSACTION (diff)
downloadlinux-0254f31a7df3bb3b90c2d9dd2d4052f7b95eb287.tar.xz
linux-0254f31a7df3bb3b90c2d9dd2d4052f7b95eb287.zip
nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION
The transaction buffer is allocated by using the size of the packet buf, and subtracting two which seems intended to remove the two tags which are not present in the target structure. This calculation leads to under counting memory because of differences between the packet contents and the target structure. The aid_len field is a u8 in the packet, but a u32 in the structure, resulting in at least 3 bytes always being under counted. Further, the aid data is a variable length field in the packet, but fixed in the structure, so if this field is less than the max, the difference is added to the under counting. To fix, perform validation checks progressively to safely reach the next field, to determine the size of both buffers and verify both tags. Once all validation checks pass, allocate the buffer and copy the data. This eliminates freeing memory on the error path, as validation checks are moved ahead of memory allocation. Reported-by: Denis Efremov <denis.e.efremov@oracle.com> Reviewed-by: Guenter Roeck <groeck@google.com> Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support") Signed-off-by: Martin Faltesek <mfaltesek@google.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'Documentation/target')
0 files changed, 0 insertions, 0 deletions