[bug report] NFC: nci: Add HCI over NCI protocol support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: christophe.ricard@gmail.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] NFC: nci: Add HCI over NCI protocol support
Date: Fri, 2 Feb 2018 17:35:25 +0300	[thread overview]
Message-ID: <20180202143525.GA24629@mwanda> (raw)

Hello Christophe Ricard,

The patch 11f54f228643: "NFC: nci: Add HCI over NCI protocol support"
from Feb 1, 2015, leads to the following static checker warning:

	net/nfc/nci/hci.c:297 nci_hci_cmd_received()
	error: buffer overflow 'ndev->hci_dev->pipes' 127 <= 127

net/nfc/nci/hci.c
   294  static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
   295                                   u8 cmd, struct sk_buff *skb)
   296  {
   297          u8 gate = ndev->hci_dev->pipes[pipe].gate;
                                               ^^^^
->pipes[] has 127 elements and "pipe" can go up to 127 so this might be
reading one element beyond the end of the array.

   298          u8 status = NCI_HCI_ANY_OK | ~NCI_HCI_FRAGMENT;
   299          u8 dest_gate, new_pipe;
   300          struct nci_hci_create_pipe_resp *create_info;
   301          struct nci_hci_delete_pipe_noti *delete_info;
   302          struct nci_hci_all_pipe_cleared_noti *cleared_info;
   303  
   304          pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
   305  

"pipe" can come from two places but their both essentially the same:

net/nfc/nci/hci.c
   413  static void nci_hci_msg_rx_work(struct work_struct *work)
   414  {
   415          struct nci_hci_dev *hdev =
   416                  container_of(work, struct nci_hci_dev, msg_rx_work);
   417          struct sk_buff *skb;
   418          struct nci_hcp_message *message;
   419          u8 pipe, type, instruction;
   420  
   421          while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
   422                  pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The NCI_HCP_MSG_GET_PIPE() macro looks like this:

#define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f)

   423                  skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
   424                  message = (struct nci_hcp_message *)skb->data;
   425                  type = NCI_HCP_MSG_GET_TYPE(message->header);
   426                  instruction = NCI_HCP_MSG_GET_CMD(message->header);
   427                  skb_pull(skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
   428  
   429                  nci_hci_hcp_message_rx(hdev->ndev, pipe,
   430                                         type, instruction, skb);
   431          }
   432  }

regards,
dan carpenter

                 reply	other threads:[~2018-02-02 14:35 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180202143525.GA24629@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=christophe.ricard@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.