[patch] NFC: llcp: integer underflow in nfc_llcp_set_remote

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [patch] NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()
@ 2013-01-31  8:16 Dan Carpenter
       [not found] ` <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2013-01-31  8:16 UTC (permalink / raw)
  To: Lauro Ramos Venancio
  Cc: Aloisio Almeida Jr, Samuel Ortiz, David S. Miller,
	John W. Linville, Thierry Escande, Szymon Janc, linux-wireless,
	linux-nfc, netdev, kernel-janitors

If gb_len is less than 3 it would cause an integer underflow and
possibly memory corruption in nfc_llcp_parse_gb_tlv().

I removed the old test for gb_len == 0.  I also removed the test for
->remote_gb == NULL.  It's not possible for ->remote_gb to be NULL and
we have already dereferenced ->remote_gb_len so it's too late to test.

The old test return -ENODEV but my test returns -EINVAL.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 85bc75c..746f5a2 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -549,14 +549,13 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
 		pr_err("No LLCP device\n");
 		return -ENODEV;
 	}
+	if (gb_len < 3)
+		return -EINVAL;
 
 	memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
 	memcpy(local->remote_gb, gb, gb_len);
 	local->remote_gb_len = gb_len;
 
-	if (local->remote_gb == NULL || local->remote_gb_len == 0)
-		return -ENODEV;
-
 	if (memcmp(local->remote_gb, llcp_magic, 3)) {
 		pr_err("MAC does not support LLCP\n");
 		return -EINVAL;

^ permalink raw reply related	[flat|nested] 3+ messages in thread

[parent not found: <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>]

* Re: [patch] NFC: llcp: integer underflow in nfc_llcp_set_remote_gb()
       [not found] ` <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
@ 2013-02-07 10:16   ` Szymon Janc
  2013-03-01  5:20     ` [patch] NFC: llcp: cleanup underflow check Dan Carpenter
  0 siblings, 1 reply; 3+ messages in thread
From: Szymon Janc @ 2013-02-07 10:16 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Lauro Ramos Venancio, Aloisio Almeida Jr, Samuel Ortiz,
	David S. Miller, John W. Linville, Thierry Escande,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-nfc-y27Ovi1pjclAfugRpC6u6w@public.gmane.org,
	netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	kernel-janitors-u79uwXL29TY76Z2rM5mHXA@public.gmane.org

Hi Dan,

On Thursday 31 of January 2013 10:16:46 Dan Carpenter wrote:
> If gb_len is less than 3 it would cause an integer underflow and
> possibly memory corruption in nfc_llcp_parse_gb_tlv().
> 
> I removed the old test for gb_len == 0.  I also removed the test for
> ->remote_gb == NULL.  It's not possible for ->remote_gb to be NULL and
> we have already dereferenced ->remote_gb_len so it's too late to test.
> 
> The old test return -ENODEV but my test returns -EINVAL.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
> 
> diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
> index 85bc75c..746f5a2 100644
> --- a/net/nfc/llcp/llcp.c
> +++ b/net/nfc/llcp/llcp.c
> @@ -549,14 +549,13 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
>  		pr_err("No LLCP device\n");
>  		return -ENODEV;
>  	}
> +	if (gb_len < 3)
> +		return -EINVAL;

Maybe define NFC_MIN_GT_LEN and test it together with NFC_MAX_GT_LEN in
nfc_set_remote_general_bytes() ?

>  
>  	memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
>  	memcpy(local->remote_gb, gb, gb_len);
>  	local->remote_gb_len = gb_len;
>  
> -	if (local->remote_gb == NULL || local->remote_gb_len == 0)
> -		return -ENODEV;
> -
>  	if (memcmp(local->remote_gb, llcp_magic, 3)) {
>  		pr_err("MAC does not support LLCP\n");
>  		return -EINVAL;

-- 
BR
Szymon Janc
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [patch] NFC: llcp: cleanup underflow check
  2013-02-07 10:16   ` Szymon Janc
@ 2013-03-01  5:20     ` Dan Carpenter
  0 siblings, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2013-03-01  5:20 UTC (permalink / raw)
  To: Lauro Ramos Venancio
  Cc: Aloisio Almeida Jr, Samuel Ortiz, David S. Miller,
	John W. Linville, Thierry Escande, Szymon Janc, linux-wireless,
	linux-nfc, netdev, kernel-janitors

Szymon Janc suggested I should move the lower bound check into the
caller and make it match the check for NFC_MAX_GT_LEN.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
index 87a6417..e50dd2c 100644
--- a/include/net/nfc/nfc.h
+++ b/include/net/nfc/nfc.h
@@ -74,6 +74,7 @@ struct nfc_ops {
 
 #define NFC_TARGET_IDX_ANY -1
 #define NFC_MAX_GT_LEN 48
+#define NFC_MIN_GT_LEN 3
 #define NFC_ATR_RES_GT_OFFSET 15
 
 struct nfc_target {
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 6ceee8e..e2c3b6e 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -450,7 +450,7 @@ int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len)
 {
 	pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len);
 
-	if (gb_len > NFC_MAX_GT_LEN)
+	if (gb_len < NFC_MIN_GT_LEN || gb_len > NFC_MAX_GT_LEN)
 		return -EINVAL;
 
 	return nfc_llcp_set_remote_gb(dev, gb, gb_len);
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 7f8266d..7be27fb 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -547,8 +547,6 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
 		pr_err("No LLCP device\n");
 		return -ENODEV;
 	}
-	if (gb_len < 3)
-		return -EINVAL;
 
 	memset(local->remote_gb, 0, NFC_MAX_GT_LEN);
 	memcpy(local->remote_gb, gb, gb_len);

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-03-01  5:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-31  8:16 [patch] NFC: llcp: integer underflow in nfc_llcp_set_remote_gb() Dan Carpenter
     [not found] ` <20130131081645.GA14812-mgFCXtclrQlZLf2FXnZxJA@public.gmane.org>
2013-02-07 10:16   ` Szymon Janc
2013-03-01  5:20     ` [patch] NFC: llcp: cleanup underflow check Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox