1. Patchew
  2. linux
  3. View series

[PATCH v3] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

Jordy Zomer posted 1 patch 4 years, 5 months ago 
drivers/nfc/st21nfca/se.c | 10 ++++++++++
1 file changed, 10 insertions(+)
[PATCH v3] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
Posted by Jordy Zomer 4 years, 5 months ago 
It appears that there are some buffer overflows in EVT_TRANSACTION.
This happens because the length parameters that are passed to memcpy
come directly from skb->data and are not guarded in any way.

Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
 drivers/nfc/st21nfca/se.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
index a43fc4117fa5..c922f10d0d7b 100644
--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -316,6 +316,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
 			return -ENOMEM;
 
 		transaction->aid_len = skb->data[1];
+
+		/* Checking if the length of the AID is valid */
+		if (transaction->aid_len > sizeof(transaction->aid))
+			return -EINVAL;
+
 		memcpy(transaction->aid, &skb->data[2],
 		       transaction->aid_len);
 
@@ -325,6 +330,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
 			return -EPROTO;
 
 		transaction->params_len = skb->data[transaction->aid_len + 3];
+
+		/* Total size is allocated (skb->len - 2) minus fixed array members */
+		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+			return -EINVAL;
+
 		memcpy(transaction->params, skb->data +
 		       transaction->aid_len + 4, transaction->params_len);
 
-- 
2.27.0
Re: [PATCH v3] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
Posted by Krzysztof Kozlowski 4 years, 5 months ago 
On 11/01/2022 17:44, Jordy Zomer wrote:
> It appears that there are some buffer overflows in EVT_TRANSACTION.
> This happens because the length parameters that are passed to memcpy
> come directly from skb->data and are not guarded in any way.
> 
> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> ---
>  drivers/nfc/st21nfca/se.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 


Looks ok.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>


Best regards,
Krzysztof
Re: [PATCH v3] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
Posted by Jakub Kicinski 4 years, 5 months ago 
On Wed, 12 Jan 2022 11:07:34 +0100 Krzysztof Kozlowski wrote:
> On 11/01/2022 17:44, Jordy Zomer wrote:
> > It appears that there are some buffer overflows in EVT_TRANSACTION.
> > This happens because the length parameters that are passed to memcpy
> > come directly from skb->data and are not guarded in any way.
> > 
> > Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> 
> Looks ok.
> 
> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

Thanks! I believe this is commit 4fbcc1a4cb20 ("nfc: st21nfca: Fix
potential buffer overflows in EVT_TRANSACTION") in net.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.