]> Gitweb @ Texas Instruments - Open Source Git Repositories - git.TI.com/gitweb - glsdk/meta-ti-glsdk.git/blob - recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch
projects / glsdk / meta-ti-glsdk.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
linux-ti33x-psp 3.2: update to 3.2.23
[glsdk/meta-ti-glsdk.git] / recipes-kernel / linux / linux-ti33x-psp-3.2 / 3.2.23 / 0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch
1 From e7d858dec1d8cf3c283019ff51adae14b8be9388 Mon Sep 17 00:00:00 2001
2 From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
3 Date: Mon, 25 Jun 2012 16:05:27 +0200
4 Subject: [PATCH 05/49] NFC: Prevent multiple buffer overflows in NCI
5
6 commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
7
8 Fix multiple remotely-exploitable stack-based buffer overflows due to
9 the NCI code pulling length fields directly from incoming frames and
10 copying too much data into statically-sized arrays.
11
12 Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
13 Cc: security@kernel.org
14 Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
15 Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
16 Cc: Samuel Ortiz <sameo@linux.intel.com>
17 Cc: David S. Miller <davem@davemloft.net>
18 Acked-by: Ilan Elias <ilane@ti.com>
19 Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
20 [bwh: Backported to 3.2:
21  - Drop changes to parsing of tech B and tech F parameters
22  - Various renaming]
23 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
24 ---
25  net/nfc/nci/ntf.c |    4 ++--
26  1 file changed, 2 insertions(+), 2 deletions(-)
27
28 diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
29 index 96633f5..12b6a80 100644
30 --- a/net/nfc/nci/ntf.c
31 +++ b/net/nfc/nci/ntf.c
32 @@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
33         nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
34         data += 2;
35  
36 -       nfca_poll->nfcid1_len = *data++;
37 +       nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1));
38  
39         nfc_dbg("sens_res 0x%x, nfcid1_len %d",
40                 nfca_poll->sens_res,
41 @@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
42  
43         switch (ntf->rf_interface_type) {
44         case NCI_RF_INTERFACE_ISO_DEP:
45 -               nfca_poll_iso_dep->rats_res_len = *data++;
46 +               nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20);
47                 if (nfca_poll_iso_dep->rats_res_len > 0) {
48                         memcpy(nfca_poll_iso_dep->rats_res,
49                                 data,
50 -- 
51 1.7.10
52
GLSDK development repositories - Temporary repository for meta-ti staging instead of arago-project.org. Use this only until arago-project.org is fully set up.