summaryrefslogtreecommitdiffstats
path: root/drivers/nfc/st21nfca/st21nfca_dep.c
diff options
context:
space:
mode:
authorChristophe Ricard <christophe.ricard@gmail.com>2014-08-11 00:04:56 +0200
committerSamuel Ortiz <sameo@linux.intel.com>2014-09-08 00:07:44 +0200
commit56f1ffcccd784672654918f9214979b4918c2544 (patch)
tree9a7015cf87cc64844792febb32d0cd8e75124cb3 /drivers/nfc/st21nfca/st21nfca_dep.c
parentNFC: st21nfca: Remove useless IS_ERR(skb) conditions (diff)
downloadlinux-56f1ffcccd784672654918f9214979b4918c2544.tar.xz
linux-56f1ffcccd784672654918f9214979b4918c2544.zip
NFC: st21nfca: Add condition to make sure atr_req->length is valid.
gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for that could lead to a potential kernel oops. We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req) to avoid such situation. Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'drivers/nfc/st21nfca/st21nfca_dep.c')
-rw-r--r--drivers/nfc/st21nfca/st21nfca_dep.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c
index b6de27b5011d..6c09a66d9a1d 100644
--- a/drivers/nfc/st21nfca/st21nfca_dep.c
+++ b/drivers/nfc/st21nfca/st21nfca_dep.c
@@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
atr_req = (struct st21nfca_atr_req *)skb->data;
+ if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+ r = -EPROTO;
+ goto exit;
+ }
+
r = st21nfca_tm_send_atr_res(hdev, atr_req);
if (r)
goto exit;