• Martin Faltesek's avatar
    nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION · f2e19b36
    Martin Faltesek authored
    The transaction buffer is allocated by using the size of the packet buf,
    and subtracting two which seem intended to remove the two tags which are
    not present in the target structure. This calculation leads to under
    counting memory because of differences between the packet contents and the
    target structure. The aid_len field is a u8 in the packet, but a u32 in
    the structure, resulting in at least 3 bytes always being under counted.
    Further, the aid data is a variable length field in the packet, but fixed
    in the structure, so if this field is less than the max, the difference is
    added to the under counting.
    
    The last validation check for transaction->params_len is also incorrect
    since it employs the same accounting error.
    
    To fix, perform validation checks progressively to safely reach the
    next field, to determine the size of both buffers and verify both tags.
    Once all validation checks pass, allocate the buffer and copy the data.
    This eliminates freeing memory on the error path, as those checks are
    moved ahead of memory allocation.
    
    Fixes: 26fc6c7f ("NFC: st21nfca: Add HCI transaction event support")
    Fixes: 4fbcc1a4 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarMartin Faltesek <mfaltesek@google.com>
    Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
    Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    f2e19b36
se.c 11.9 KB