nfc: pn533: prevent potential memory corruption

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If the "type_a->nfcid_len" is too large then it would lead to memory
corruption in pn533_target_found_type_a() when we do:

memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);

Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Carpenter and committed by

David S. Miller 5 years ago ca4d4c34 8577dd8a

1 changed file

expand all

drivers

nfc

pn533

pn533.c

drivers/nfc/pn533/pn533.c

··· 706 706 if (PN533_TYPE_A_SEL_CASCADE(type_a->sel_res) != 0) 707 707 return false; 708 708 709 + if (type_a->nfcid_len > NFC_NFCID1_MAXSIZE) 710 + return false; 711 + 709 712 return true; 710 713 } 711 714