net: nfc: fix bounds checking bugs on "pipe" (a3aefbfe) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit a3aefbfe authored Mar 04, 2020 by

Dan Carpenter Committed by David S. Miller Mar 05, 2020

net: nfc: fix bounds checking bugs on "pipe"

This is similar to commit 674d9de0 ("NFC: Fix possible memory
corruption when handling SHDLC I-Frame commands") and commit d7ee81ad
("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
added range checks on "pipe".

The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
It's in the 0-255 range.  We're using it as the array index into the
hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.

Fixes: 118278f2

 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent e25d5dbc

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 7e78a7fd
· Mar 19, 2020

mentioned in commit 7e78a7fd

mentioned in commit 7e78a7fdcc8d8c854e5dc8441a452baca24dec67

Toggle commit list
mirror @mirror
mentioned in commit ac07a9a4
· Mar 21, 2020

mentioned in commit ac07a9a4

mentioned in commit ac07a9a4de593a9a3d94aa92f98e09f979c9eb03

Toggle commit list
mirror @mirror
mentioned in commit 3587ae04
· Mar 21, 2020

mentioned in commit 3587ae04

mentioned in commit 3587ae04df1df0a70bc2251b40ac3bb4f2a0730b

Toggle commit list
mirror @mirror
mentioned in commit e5660ee1
· Mar 21, 2020

mentioned in commit e5660ee1

mentioned in commit e5660ee1a35ba155cb2bee53c441fed07aa8de67

Toggle commit list

Please register or to comment