[bug report] NFC: nci: Add HCI over NCI protocol support

All of lore.kernel.org
 help / color / mirror / Atom feed

* [bug report] NFC: nci: Add HCI over NCI protocol support
@ 2018-02-02 14:35 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2018-02-02 14:35 UTC (permalink / raw)
  To: christophe.ricard; +Cc: linux-wireless

Hello Christophe Ricard,

The patch 11f54f228643: "NFC: nci: Add HCI over NCI protocol support"
from Feb 1, 2015, leads to the following static checker warning:

	net/nfc/nci/hci.c:297 nci_hci_cmd_received()
	error: buffer overflow 'ndev->hci_dev->pipes' 127 <= 127

net/nfc/nci/hci.c
   294  static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
   295                                   u8 cmd, struct sk_buff *skb)
   296  {
   297          u8 gate = ndev->hci_dev->pipes[pipe].gate;
                                               ^^^^
->pipes[] has 127 elements and "pipe" can go up to 127 so this might be
reading one element beyond the end of the array.

   298          u8 status = NCI_HCI_ANY_OK | ~NCI_HCI_FRAGMENT;
   299          u8 dest_gate, new_pipe;
   300          struct nci_hci_create_pipe_resp *create_info;
   301          struct nci_hci_delete_pipe_noti *delete_info;
   302          struct nci_hci_all_pipe_cleared_noti *cleared_info;
   303  
   304          pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
   305  

"pipe" can come from two places but their both essentially the same:

net/nfc/nci/hci.c
   413  static void nci_hci_msg_rx_work(struct work_struct *work)
   414  {
   415          struct nci_hci_dev *hdev =
   416                  container_of(work, struct nci_hci_dev, msg_rx_work);
   417          struct sk_buff *skb;
   418          struct nci_hcp_message *message;
   419          u8 pipe, type, instruction;
   420  
   421          while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
   422                  pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The NCI_HCP_MSG_GET_PIPE() macro looks like this:

#define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f)

   423                  skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
   424                  message = (struct nci_hcp_message *)skb->data;
   425                  type = NCI_HCP_MSG_GET_TYPE(message->header);
   426                  instruction = NCI_HCP_MSG_GET_CMD(message->header);
   427                  skb_pull(skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
   428  
   429                  nci_hci_hcp_message_rx(hdev->ndev, pipe,
   430                                         type, instruction, skb);
   431          }
   432  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-02-02 14:35 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-02 14:35 [bug report] NFC: nci: Add HCI over NCI protocol support Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.