Unverified Commit 50f1377f authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!9074 [sync] PR-8963: Fix CVE-2024-35915 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/8963 
 
PR sync from: Zheng Zucheng <zhengzucheng@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BTUPGOQIU7F67TVTYY2D7QDDHWKYRRYC/ 
Fix CVE-2024-35915

Ryosuke Yasuoka (3):
  nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
  nfc: nci: Fix uninit-value in nci_rx_work
  nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()

Tetsuo Handa (1):
  nfc: nci: Fix kcov check in nci_rx_work()


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG8F 
 
Link:https://gitee.com/openeuler/kernel/pulls/9074

 

Reviewed-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents f7990d83 5bb5dfac

net/nfc/nci/core.c

+19 −0
Original line number Diff line number Diff line
@@ -1452,6 +1452,20 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode, 
				 ndev->ops->n_core_ops);

}



static bool nci_valid_size(struct sk_buff *skb)

{

	unsigned int hdr_size = NCI_CTRL_HDR_SIZE;



	BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE);



	if (skb->len < hdr_size ||

	    !nci_plen(skb->data) ||

	    skb->len < hdr_size + nci_plen(skb->data)) {

		return false;

	}

	return true;

}



/* ---- NCI TX Data worker thread ---- */



static void nci_tx_work(struct work_struct *work)
@@ -1502,6 +1516,11 @@ static void nci_rx_work(struct work_struct *work) 
		nfc_send_to_raw_sock(ndev->nfc_dev, skb,

				     RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);



		if (!nci_valid_size(skb)) {

			kfree_skb(skb);

			continue;

		}



		/* Process frame */

		switch (nci_mt(skb->data)) {

		case NCI_MT_RSP_PKT: