Commit c14e2b91 authored by Martin Faltesek's avatar Martin Faltesek Committed by Tong Tiangen
Browse files

nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling 

stable inclusion
from stable-v4.19.247
commit 6fce324b530dd74750ad870699e33eeed1029ded
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP286
CVE: CVE-2022-49331

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6fce324b530dd74750ad870699e33eeed1029ded



--------------------------------

commit 996419e0 upstream.

Error paths do not free previously allocated memory. Add devm_kfree() to
those failure paths.

Fixes: 26fc6c7f ("NFC: st21nfca: Add HCI transaction event support")
Fixes: 4fbcc1a4 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarMartin Faltesek <mfaltesek@google.com>
Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarTong Tiangen <tongtiangen@huawei.com>
parent 112ff69d

drivers/nfc/st21nfca/se.c

+10 −3
Original line number Diff line number Diff line
@@ -334,22 +334,29 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, 
		transaction->aid_len = skb->data[1];



		/* Checking if the length of the AID is valid */

		if (transaction->aid_len > sizeof(transaction->aid))

		if (transaction->aid_len > sizeof(transaction->aid)) {

			devm_kfree(dev, transaction);

			return -EINVAL;

		}



		memcpy(transaction->aid, &skb->data[2],

		       transaction->aid_len);



		/* Check next byte is PARAMETERS tag (82) */

		if (skb->data[transaction->aid_len + 2] !=

		    NFC_EVT_TRANSACTION_PARAMS_TAG)

		    NFC_EVT_TRANSACTION_PARAMS_TAG) {

			devm_kfree(dev, transaction);

			return -EPROTO;

		}



		transaction->params_len = skb->data[transaction->aid_len + 3];



		/* Total size is allocated (skb->len - 2) minus fixed array members */

		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))

		if (transaction->params_len > ((skb->len - 2) -

		    sizeof(struct nfc_evt_transaction))) {

			devm_kfree(dev, transaction);

			return -EINVAL;

		}



		memcpy(transaction->params, skb->data +

		       transaction->aid_len + 4, transaction->params_len);