From: Greg KH <gregkh@linuxfoundation.org>
To: Amit Pundir <amit.pundir@linaro.org>
Cc: lkml <linux-kernel@vger.kernel.org>,
linux-wireless@vger.kernel.org,
Samuel Ortiz <sameo@linux.intel.com>,
Christophe Ricard <christophe.ricard@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
John Stultz <john.stultz@linaro.org>,
Dmitry Shmidt <dimitrysh@google.com>,
Todd Kjos <tkjos@google.com>,
Android Kernel Team <kernel-team@android.com>,
Suren Baghdasaryan <surenb@google.com>
Subject: Re: [RESEND][PATCH 4/4] NFC: fdp: Fix possible buffer overflow in WCS4000 NFC driver
Date: Mon, 23 Apr 2018 11:16:31 +0200 [thread overview]
Message-ID: <20180423091631.GA14322@kroah.com> (raw)
In-Reply-To: <1524045904-7005-5-git-send-email-amit.pundir@linaro.org>
On Wed, Apr 18, 2018 at 03:35:04PM +0530, Amit Pundir wrote:
> From: Suren Baghdasaryan <surenb@google.com>
>
> Possible buffer overflow when reading next_read_size bytes into
> tmp buffer after next_read_size was extracted from a previous packet.
>
> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
> ---
> drivers/nfc/fdp/i2c.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
> index c4da50e07bbc..08a4f82a2965 100644
> --- a/drivers/nfc/fdp/i2c.c
> +++ b/drivers/nfc/fdp/i2c.c
> @@ -176,6 +176,16 @@ static int fdp_nci_i2c_read(struct fdp_i2c_phy *phy, struct sk_buff **skb)
> /* Packet that contains a length */
> if (tmp[0] == 0 && tmp[1] == 0) {
> phy->next_read_size = (tmp[2] << 8) + tmp[3] + 3;
> + /*
> + * Ensure next_read_size does not exceed sizeof(tmp)
> + * for reading that many bytes during next iteration
> + */
> + if (phy->next_read_size > FDP_NCI_I2C_MAX_PAYLOAD) {
> + dev_dbg(&client->dev, "%s: corrupted packet\n",
> + __func__);
As Andy points out, no need for __func__ in any dev_dbg() call.
thanks,
greg k-h
next prev parent reply other threads:[~2018-04-23 9:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-18 10:05 [RESEND][PATCH 0/4] Few NFC fixes from android-4.14 tree Amit Pundir
2018-04-18 10:05 ` [RESEND][PATCH 1/4] NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ Amit Pundir
2018-04-18 10:05 ` [RESEND][PATCH 2/4] NFC: st21nfca: Fix memory OOB and leak issues in connectivity events handler Amit Pundir
2018-04-20 12:39 ` Andy Shevchenko
2018-04-20 16:45 ` Mark Greer
2018-04-23 17:21 ` Amit Pundir
2018-04-23 17:20 ` Amit Pundir
2018-04-18 10:05 ` [RESEND][PATCH 3/4] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Amit Pundir
2018-04-18 10:05 ` [RESEND][PATCH 4/4] NFC: fdp: Fix possible buffer overflow in WCS4000 NFC driver Amit Pundir
2018-04-20 12:41 ` Andy Shevchenko
2018-04-23 9:16 ` Greg KH [this message]
2018-04-23 10:02 ` Amit Pundir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180423091631.GA14322@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=amit.pundir@linaro.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=christophe.ricard@gmail.com \
--cc=dimitrysh@google.com \
--cc=john.stultz@linaro.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=sameo@linux.intel.com \
--cc=surenb@google.com \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.