[PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received()
@ 2019-04-03  7:12 Dan Carpenter
  2019-04-03  7:13 ` [PATCH 2/2 net] nfc: nci: Potential off by one in ->pipes[] array Dan Carpenter
  2019-04-06 22:04 ` [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received() David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2019-04-03  7:12 UTC (permalink / raw)
  To: Samuel Ortiz, Christophe Ricard
  Cc: linux-wireless, kernel-janitors, David S. Miller, netdev,
	Suren Baghdasaryan

This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
corruption when handling SHDLC I-Frame commands").

I'm not totally sure, but I think that commit description may have
overstated the danger.  I was under the impression that this data came
from the firmware?  If you can't trust your networking firmware, then
you're already in trouble.

Anyway, these days we add bounds checking where ever we can and we call
it kernel hardening.  Better safe than sorry.

Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 net/nfc/nci/hci.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
index ddfc52ac1f9b..c0d323b58e73 100644
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
 		create_info = (struct nci_hci_create_pipe_resp *)skb->data;
 		dest_gate = create_info->dest_gate;
 		new_pipe = create_info->pipe;
+		if (new_pipe >= NCI_HCI_MAX_PIPES) {
+			status = NCI_HCI_ANY_E_NOK;
+			goto exit;
+		}
 
 		/* Save the new created pipe and bind with local gate,
 		 * the description for skb->data[3] is destination gate id
@@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
 			goto exit;
 		}
 		delete_info = (struct nci_hci_delete_pipe_noti *)skb->data;
+		if (delete_info->pipe >= NCI_HCI_MAX_PIPES) {
+			status = NCI_HCI_ANY_E_NOK;
+			goto exit;
+		}
 
 		ndev->hci_dev->pipes[delete_info->pipe].gate =
 						NCI_HCI_INVALID_GATE;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2 net] nfc: nci: Potential off by one in ->pipes[] array
  2019-04-03  7:12 [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Dan Carpenter
@ 2019-04-03  7:13 ` Dan Carpenter
  2019-04-06 22:04   ` David Miller
  2019-04-06 22:04 ` [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received() David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2019-04-03  7:13 UTC (permalink / raw)
  To: Samuel Ortiz, Christophe Ricard
  Cc: linux-wireless, kernel-janitors, David S. Miller, netdev

This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes")
where we changed NFC_HCI_MAX_PIPES from 127 to 128.

As the comment next to the define explains, the pipe identifier is 7
bits long.  The highest possible pipe is 127, but the number of possible
pipes is 128.  As the code is now, then there is potential for an
out of bounds array access:

    net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one?
    'ndev->hci_dev->pipes[pipe]' '0-127 == 127'

Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 include/net/nfc/nci_core.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h
index 87499b6b35d6..df5c69db68af 100644
--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -166,7 +166,7 @@ struct nci_conn_info {
  * According to specification 102 622 chapter 4.4 Pipes,
  * the pipe identifier is 7 bits long.
  */
-#define NCI_HCI_MAX_PIPES          127
+#define NCI_HCI_MAX_PIPES          128

 struct nci_hci_gate {
 	u8 gate;
-- 
2.17.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received()
  2019-04-03  7:12 [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Dan Carpenter
  2019-04-03  7:13 ` [PATCH 2/2 net] nfc: nci: Potential off by one in ->pipes[] array Dan Carpenter
@ 2019-04-06 22:04 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2019-04-06 22:04 UTC (permalink / raw)
  To: dan.carpenter
  Cc: sameo, christophe.ricard, linux-wireless, kernel-janitors, netdev,
	surenb

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 3 Apr 2019 10:12:48 +0300

> This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
> corruption when handling SHDLC I-Frame commands").
> 
> I'm not totally sure, but I think that commit description may have
> overstated the danger.  I was under the impression that this data came
> from the firmware?  If you can't trust your networking firmware, then
> you're already in trouble.
> 
> Anyway, these days we add bounds checking where ever we can and we call
> it kernel hardening.  Better safe than sorry.
> 
> Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2 net] nfc: nci: Potential off by one in ->pipes[] array
  2019-04-03  7:13 ` [PATCH 2/2 net] nfc: nci: Potential off by one in ->pipes[] array Dan Carpenter
@ 2019-04-06 22:04   ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2019-04-06 22:04 UTC (permalink / raw)
  To: dan.carpenter
  Cc: sameo, christophe.ricard, linux-wireless, kernel-janitors, netdev

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 3 Apr 2019 10:13:51 +0300

> This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes")
> where we changed NFC_HCI_MAX_PIPES from 127 to 128.
> 
> As the comment next to the define explains, the pipe identifier is 7
> bits long.  The highest possible pipe is 127, but the number of possible
> pipes is 128.  As the code is now, then there is potential for an
> out of bounds array access:
> 
>     net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one?
>     'ndev->hci_dev->pipes[pipe]' '0-127 == 127'
> 
> Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-04-06 22:04 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-03  7:12 [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Dan Carpenter
2019-04-03  7:13 ` [PATCH 2/2 net] nfc: nci: Potential off by one in ->pipes[] array Dan Carpenter
2019-04-06 22:04   ` David Miller
2019-04-06 22:04 ` [PATCH 1/2 net] NFC: nci: Add some bounds checking in nci_hci_cmd_received() David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).