[ 05/48] NFC: Prevent multiple buffer overflows in NCI
From: Ben Hutchings <hidden>
Date: 2012-07-09 14:47:47
Also in:
lkml
3.2-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Rosenberg <redacted> commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream. Fix multiple remotely-exploitable stack-based buffer overflows due to the NCI code pulling length fields directly from incoming frames and copying too much data into statically-sized arrays. Signed-off-by: Dan Rosenberg <redacted> Cc: security@kernel.org Cc: Lauro Ramos Venancio <redacted> Cc: Aloisio Almeida Jr <redacted> Cc: Samuel Ortiz <redacted> Cc: David S. Miller <davem@davemloft.net> Acked-by: Ilan Elias <redacted> Signed-off-by: Samuel Ortiz <redacted> [bwh: Backported to 3.2: - Drop changes to parsing of tech B and tech F parameters - Various renaming] Signed-off-by: Ben Hutchings <redacted> ---
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c@@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_ nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); data += 2; - nfca_poll->nfcid1_len = *data++; + nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1)); nfc_dbg("sens_res 0x%x, nfcid1_len %d", nfca_poll->sens_res,
@@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_ switch (ntf->rf_interface_type) { case NCI_RF_INTERFACE_ISO_DEP: - nfca_poll_iso_dep->rats_res_len = *data++; + nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20); if (nfca_poll_iso_dep->rats_res_len > 0) { memcpy(nfca_poll_iso_dep->rats_res, data,