[bug report] NFC: nci: Add HCI over NCI protocol support

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: christophe.ricard@gmail.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] NFC: nci: Add HCI over NCI protocol support
Date: Fri, 2 Feb 2018 17:35:25 +0300	[thread overview]
Message-ID: <20180202143525.GA24629@mwanda> (raw)

Hello Christophe Ricard,

The patch 11f54f228643: "NFC: nci: Add HCI over NCI protocol support"
from Feb 1, 2015, leads to the following static checker warning:

	net/nfc/nci/hci.c:297 nci_hci_cmd_received()
	error: buffer overflow 'ndev->hci_dev->pipes' 127 <= 127

net/nfc/nci/hci.c
   294  static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
   295                                   u8 cmd, struct sk_buff *skb)
   296  {
   297          u8 gate = ndev->hci_dev->pipes[pipe].gate;
                                               ^^^^
->pipes[] has 127 elements and "pipe" can go up to 127 so this might be
reading one element beyond the end of the array.

   298          u8 status = NCI_HCI_ANY_OK | ~NCI_HCI_FRAGMENT;
   299          u8 dest_gate, new_pipe;
   300          struct nci_hci_create_pipe_resp *create_info;
   301          struct nci_hci_delete_pipe_noti *delete_info;
   302          struct nci_hci_all_pipe_cleared_noti *cleared_info;
   303  
   304          pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
   305  

"pipe" can come from two places but their both essentially the same:

net/nfc/nci/hci.c
   413  static void nci_hci_msg_rx_work(struct work_struct *work)
   414  {
   415          struct nci_hci_dev *hdev =
   416                  container_of(work, struct nci_hci_dev, msg_rx_work);
   417          struct sk_buff *skb;
   418          struct nci_hcp_message *message;
   419          u8 pipe, type, instruction;
   420  
   421          while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
   422                  pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The NCI_HCP_MSG_GET_PIPE() macro looks like this:

#define NCI_HCP_MSG_GET_PIPE(header) (header & 0x7f)

   423                  skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
   424                  message = (struct nci_hcp_message *)skb->data;
   425                  type = NCI_HCP_MSG_GET_TYPE(message->header);
   426                  instruction = NCI_HCP_MSG_GET_CMD(message->header);
   427                  skb_pull(skb, NCI_HCI_HCP_MESSAGE_HEADER_LEN);
   428  
   429                  nci_hci_hcp_message_rx(hdev->ndev, pipe,
   430                                         type, instruction, skb);
   431          }
   432  }

regards,
dan carpenter

                 reply	other threads:[~2018-02-02 14:35 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180202143525.GA24629@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=christophe.ricard@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).