linux/drivers/nfc
Martin Faltesek 0254f31a7d nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION
The transaction buffer is allocated by using the size of the packet buf,
and subtracting two which seems intended to remove the two tags which are
not present in the target structure. This calculation leads to under
counting memory because of differences between the packet contents and the
target structure. The aid_len field is a u8 in the packet, but a u32 in
the structure, resulting in at least 3 bytes always being under counted.
Further, the aid data is a variable length field in the packet, but fixed
in the structure, so if this field is less than the max, the difference is
added to the under counting.

To fix, perform validation checks progressively to safely reach the
next field, to determine the size of both buffers and verify both tags.
Once all validation checks pass, allocate the buffer and copy the data.
This eliminates freeing memory on the error path, as validation checks are
moved ahead of memory allocation.

Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
Reviewed-by: Guenter Roeck <groeck@google.com>
Fixes: 5d1ceb7f5e ("NFC: st21nfcb: Add HCI transaction event support")
Signed-off-by: Martin Faltesek <mfaltesek@google.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-11-23 20:01:50 -08:00
..
fdp nfc: fdp: Fix potential memory leak in fdp_nci_send() 2022-10-30 21:43:26 +00:00
microread i2c: Make remove callback return void 2022-08-16 12:46:26 +02:00
nfcmrvl nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() 2022-11-21 08:31:52 +00:00
nxp-nci nfc: nxp-nci: Fix potential memory leak in nxp_nci_send() 2022-11-21 08:31:53 +00:00
pn533 Merge tag 'v6.0-rc5' into i2c/for-mergewindow 2022-09-16 20:42:18 +01:00
pn544 i2c: Make remove callback return void 2022-08-16 12:46:26 +02:00
s3fwrn5 nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() 2022-11-21 08:31:53 +00:00
st21nfca i2c: Make remove callback return void 2022-08-16 12:46:26 +02:00
st95hf spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
st-nci nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION 2022-11-23 20:01:50 -08:00
Kconfig nfc: Add a virtual nci device driver 2021-01-29 18:03:33 -08:00
Makefile nfc: Add a virtual nci device driver 2021-01-29 18:03:33 -08:00
mei_phy.c nfc: mei_phy: constify buffer passed to mei_nfc_send() 2021-07-29 12:28:02 +01:00
mei_phy.h nfc: constify nfc_phy_ops 2021-07-25 09:21:21 +01:00
nfcsim.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-07-31 09:14:46 -07:00
port100.c NFC: port100: fix use-after-free in port100_send_complete 2022-03-09 19:59:34 -08:00
trf7970a.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
virtual_ncidev.c nfc: virtual_ncidev: Fix memory leak in virtual_nci_send() 2022-10-20 21:13:04 -07:00