[glsdk/meta-ti-glsdk.git] / recipes-kernel / linux / linux-ti33x-psp-3.2 / 3.2.23 / 0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch
1 From e7d858dec1d8cf3c283019ff51adae14b8be9388 Mon Sep 17 00:00:00 2001
2 From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
3 Date: Mon, 25 Jun 2012 16:05:27 +0200
4 Subject: [PATCH 05/49] NFC: Prevent multiple buffer overflows in NCI
6 commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
8 Fix multiple remotely-exploitable stack-based buffer overflows due to
9 the NCI code pulling length fields directly from incoming frames and
10 copying too much data into statically-sized arrays.
12 Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
13 Cc: security@kernel.org
14 Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
15 Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
16 Cc: Samuel Ortiz <sameo@linux.intel.com>
17 Cc: David S. Miller <davem@davemloft.net>
18 Acked-by: Ilan Elias <ilane@ti.com>
19 Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
20 [bwh: Backported to 3.2:
21 - Drop changes to parsing of tech B and tech F parameters
22 - Various renaming]
23 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
24 ---
25 net/nfc/nci/ntf.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
28 diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
29 index 96633f5..12b6a80 100644
30 --- a/net/nfc/nci/ntf.c
31 +++ b/net/nfc/nci/ntf.c
32 @@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
33 nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
34 data += 2;
36 - nfca_poll->nfcid1_len = *data++;
37 + nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1));
39 nfc_dbg("sens_res 0x%x, nfcid1_len %d",
40 nfca_poll->sens_res,
41 @@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
43 switch (ntf->rf_interface_type) {
44 case NCI_RF_INTERFACE_ISO_DEP:
45 - nfca_poll_iso_dep->rats_res_len = *data++;
46 + nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20);
47 if (nfca_poll_iso_dep->rats_res_len > 0) {
48 memcpy(nfca_poll_iso_dep->rats_res,
49 data,
50 --
51 1.7.10