diff options
| author | Dan Rosenberg <dan.j.rosenberg@gmail.com> | 2012-06-25 16:05:27 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2012-07-12 04:32:01 +0100 |
| commit | ec5b2b02eedb2c3471d5a87ba0f72d11b04c2af1 (patch) | |
| tree | aa7124a871598918154cf963c597e29b0d2cfc3f | |
| parent | a49edd1239c7940218aad7366d0dbd5a61bae556 (diff) | |
NFC: Prevent multiple buffer overflows in NCI
commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
Fix multiple remotely-exploitable stack-based buffer overflows due to
the NCI code pulling length fields directly from incoming frames and
copying too much data into statically-sized arrays.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: security@kernel.org
Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Acked-by: Ilan Elias <ilane@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
[bwh: Backported to 3.2:
- Drop changes to parsing of tech B and tech F parameters
- Various renaming]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | net/nfc/nci/ntf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index 96633f5cda4f..12b6a80a5c71 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev, nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); data += 2; - nfca_poll->nfcid1_len = *data++; + nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1)); nfc_dbg("sens_res 0x%x, nfcid1_len %d", nfca_poll->sens_res, @@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev, switch (ntf->rf_interface_type) { case NCI_RF_INTERFACE_ISO_DEP: - nfca_poll_iso_dep->rats_res_len = *data++; + nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20); if (nfca_poll_iso_dep->rats_res_len > 0) { memcpy(nfca_poll_iso_dep->rats_res, data, |