Commit 06c286a3 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

NFC: microread: Potential overflows in microread_target_discovered()

commit d07f1e86 upstream.

Smatch says that skb->data is untrusted so we need to check to make sure
that the memcpy() doesn't overflow.

Fixes: cfad1ba8 ('NFC: Initial support for Inside Secure microread')
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarSamuel Ortiz <sameo@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 82d53603
......@@ -501,9 +501,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate,
targets->sens_res =
be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]);
targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK];
memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
skb->data[MICROREAD_EMCF_A_LEN]);
targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN];
if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
r = -EINVAL;
goto exit_free;
}
memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
targets->nfcid1_len);
break;
case MICROREAD_GATE_ID_MREAD_ISO_A_3:
targets->supported_protocols =
......@@ -511,9 +515,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate,
targets->sens_res =
be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]);
targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK];
memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
skb->data[MICROREAD_EMCF_A3_LEN]);
targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN];
if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
r = -EINVAL;
goto exit_free;
}
memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
targets->nfcid1_len);
break;
case MICROREAD_GATE_ID_MREAD_ISO_B:
targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment