ANDROID: NFC: st21nfca: Fix out of bounds kernel access when handling ATR_REQ Out of bounds kernel accesses in st21nfca's NFC HCI layer might happen when handling ATR_REQ events if user-specified atr_req->length is bigger than the buffer size. In that case memcpy() inside st21nfca_tm_send_atr_res() will read extra bytes resulting in OOB read from the kernel heap. Bug: 62679012 Signed-off-by: Suren Baghdasaryan <surenb@google.com>

commit: 85e5fc78cf64232a9ce06f3b0bdef75042f1b5d0 [log] [tgz]
author: Suren Baghdasaryan <surenb@google.com> Thu Aug 17 10:43:14 2017 -0700
committer: Suren Baghdasaryan <surenb@google.com> Fri Aug 18 22:01:25 2017 +0000
tree: bd48bdba9e9cdd22b3798e1b956a6a9b24ab89ba
parent: ca95b3e3a5a1ce52be5a958637ac064e28fe4be9 [diff] [blame]
diff --git a/drivers/nfc/st21nfca/dep.c b/drivers/nfc/st21nfca/dep.c
index 798a32b..2062852 100644
--- a/drivers/nfc/st21nfca/dep.c
+++ b/drivers/nfc/st21nfca/dep.c

@@ -217,7 +217,8 @@
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
-	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+	if (atr_req->length < sizeof(struct st21nfca_atr_req) ||
+	    atr_req->length > skb->len) {
 		r = -EPROTO;
 		goto exit;
 	}
commit	85e5fc78cf64232a9ce06f3b0bdef75042f1b5d0	[log] [tgz]
author	Suren Baghdasaryan <surenb@google.com>	Thu Aug 17 10:43:14 2017 -0700
committer	Suren Baghdasaryan <surenb@google.com>	Fri Aug 18 22:01:25 2017 +0000
tree	bd48bdba9e9cdd22b3798e1b956a6a9b24ab89ba
parent	ca95b3e3a5a1ce52be5a958637ac064e28fe4be9 [diff] [blame]