* [patch] NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()
@ 2013-01-31 8:16 Dan Carpenter
[not found] ` <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2013-01-31 8:16 UTC (permalink / raw)
To: Lauro Ramos Venancio
Cc: Aloisio Almeida Jr, Samuel Ortiz, David S. Miller,
John W. Linville, Thierry Escande, Szymon Janc, linux-wireless,
linux-nfc, netdev, kernel-janitors
If gb_len is less than 3 it would cause an integer underflow and
possibly memory corruption in nfc_llcp_parse_gb_tlv().
I removed the old test for gb_len == 0. I also removed the test for
->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and
we have already dereferenced ->remote_gb_len so it's too late to test.
The old test return -ENODEV but my test returns -EINVAL.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 85bc75c..746f5a2 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -549,14 +549,13 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
pr_err("No LLCP device\n");
return -ENODEV;
}
+ if (gb_len < 3)
+ return -EINVAL;
memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
memcpy(local->remote_gb, gb, gb_len);
local->remote_gb_len = gb_len;
- if (local->remote_gb == NULL || local->remote_gb_len == 0)
- return -ENODEV;
-
if (memcmp(local->remote_gb, llcp_magic, 3)) {
pr_err("MAC does not support LLCP\n");
return -EINVAL;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [patch] NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()
[not found] ` <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
@ 2013-02-07 10:16 ` Szymon Janc
2013-03-01 5:20 ` [patch] NFC: llcp: cleanup underflow check Dan Carpenter
0 siblings, 1 reply; 3+ messages in thread
From: Szymon Janc @ 2013-02-07 10:16 UTC (permalink / raw)
To: Dan Carpenter
Cc: Lauro Ramos Venancio, Aloisio Almeida Jr, Samuel Ortiz,
David S. Miller, John W. Linville, Thierry Escande,
linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-nfc-y27Ovi1pjclAfugRpC6u6w@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
kernel-janitors-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Hi Dan,
On Thursday 31 of January 2013 10:16:46 Dan Carpenter wrote:
> If gb_len is less than 3 it would cause an integer underflow and
> possibly memory corruption in nfc_llcp_parse_gb_tlv().
>
> I removed the old test for gb_len == 0. I also removed the test for
> ->remote_gb == NULL. It's not possible for ->remote_gb to be NULL and
> we have already dereferenced ->remote_gb_len so it's too late to test.
>
> The old test return -ENODEV but my test returns -EINVAL.
>
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
>
> diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
> index 85bc75c..746f5a2 100644
> --- a/net/nfc/llcp/llcp.c
> +++ b/net/nfc/llcp/llcp.c
> @@ -549,14 +549,13 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
> pr_err("No LLCP device\n");
> return -ENODEV;
> }
> + if (gb_len < 3)
> + return -EINVAL;
Maybe define NFC_MIN_GT_LEN and test it together with NFC_MAX_GT_LEN in
nfc_set_remote_general_bytes() ?
>
> memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
> memcpy(local->remote_gb, gb, gb_len);
> local->remote_gb_len = gb_len;
>
> - if (local->remote_gb == NULL || local->remote_gb_len == 0)
> - return -ENODEV;
> -
> if (memcmp(local->remote_gb, llcp_magic, 3)) {
> pr_err("MAC does not support LLCP\n");
> return -EINVAL;
--
BR
Szymon Janc
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* [patch] NFC: llcp: cleanup underflow check
2013-02-07 10:16 ` Szymon Janc
@ 2013-03-01 5:20 ` Dan Carpenter
0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2013-03-01 5:20 UTC (permalink / raw)
To: Lauro Ramos Venancio
Cc: Aloisio Almeida Jr, Samuel Ortiz, David S. Miller,
John W. Linville, Thierry Escande, Szymon Janc, linux-wireless,
linux-nfc, netdev, kernel-janitors
Szymon Janc suggested I should move the lower bound check into the
caller and make it match the check for NFC_MAX_GT_LEN.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
index 87a6417..e50dd2c 100644
--- a/include/net/nfc/nfc.h
+++ b/include/net/nfc/nfc.h
@@ -74,6 +74,7 @@ struct nfc_ops {
#define NFC_TARGET_IDX_ANY -1
#define NFC_MAX_GT_LEN 48
+#define NFC_MIN_GT_LEN 3
#define NFC_ATR_RES_GT_OFFSET 15
struct nfc_target {
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 6ceee8e..e2c3b6e 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -450,7 +450,7 @@ int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len)
{
pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len);
- if (gb_len > NFC_MAX_GT_LEN)
+ if (gb_len < NFC_MIN_GT_LEN || gb_len > NFC_MAX_GT_LEN)
return -EINVAL;
return nfc_llcp_set_remote_gb(dev, gb, gb_len);
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 7f8266d..7be27fb 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -547,8 +547,6 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
pr_err("No LLCP device\n");
return -ENODEV;
}
- if (gb_len < 3)
- return -EINVAL;
memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
memcpy(local->remote_gb, gb, gb_len);
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-03-01 5:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-31 8:16 [patch] NFC: llcp: integer underflow in nfc_llcp_set_remote_gb() Dan Carpenter
[not found] ` <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
2013-02-07 10:16 ` Szymon Janc
2013-03-01 5:20 ` [patch] NFC: llcp: cleanup underflow check Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox