Commit 5bb5dfac authored by Ryosuke Yasuoka's avatar Ryosuke Yasuoka Committed by openeuler-sync-bot
Browse files

nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 

mainline inclusion
from mainline-v6.9-rc1
commit 6671e352497ca4bb07a96c48e03907065ff77d8a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8F
CVE: CVE-2024-35915

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6671e352497ca4bb07a96c48e03907065ff77d8a



--------------------------------

When nci_rx_work() receives a zero-length payload packet, it should not
discard the packet and exit the loop. Instead, it should continue
processing subsequent packets.

Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
Signed-off-by: default avatarRyosuke Yasuoka <ryasuoka@redhat.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarZheng Zucheng <zhengzucheng@huawei.com>
(cherry picked from commit 91b5c82f)
parent 8982cef1

net/nfc/nci/core.c

+1 −2
Original line number Diff line number Diff line
@@ -1518,8 +1518,7 @@ static void nci_rx_work(struct work_struct *work) 


		if (!nci_valid_size(skb)) {

			kfree_skb(skb);

			kcov_remote_stop();

			break;

			continue;

		}



		/* Process frame */