Unverified Commit 1202ff30 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!9724 Fix CVE-2024-35915 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zheng Zucheng <zhengzucheng@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/62YFGXVSKXXQRO7GCGTO2UW6J5U55IDH/ 
Ryosuke Yasuoka (3):
  nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
  nfc: nci: Fix uninit-value in nci_rx_work
  nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()

Tetsuo Handa (1):
  nfc: nci: Fix kcov check in nci_rx_work()


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG8F 
 
Link:https://gitee.com/openeuler/kernel/pulls/9724

 

Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 3747e12f 7bd57837

net/nfc/nci/core.c

+19 −0
Original line number Diff line number Diff line
@@ -1457,6 +1457,20 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode, 
				 ndev->ops->n_core_ops);

}



static bool nci_valid_size(struct sk_buff *skb)

{

	unsigned int hdr_size = NCI_CTRL_HDR_SIZE;



	BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE);



	if (skb->len < hdr_size ||

	    !nci_plen(skb->data) ||

	    skb->len < hdr_size + nci_plen(skb->data)) {

		return false;

	}

	return true;

}



/* ---- NCI TX Data worker thread ---- */



static void nci_tx_work(struct work_struct *work)
@@ -1507,6 +1521,11 @@ static void nci_rx_work(struct work_struct *work) 
		nfc_send_to_raw_sock(ndev->nfc_dev, skb,

				     RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);



		if (!nci_valid_size(skb)) {

			kfree_skb(skb);

			continue;

		}



		/* Process frame */

		switch (nci_mt(skb->data)) {

		case NCI_MT_RSP_PKT: