nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet
syzbot reported the following uninit-value access issue [1][2]: nci_rx_work() parses and processes received packet. When the payload length is zero, each message type handler reads uninitialized payload and KMSAN detects this issue. The receipt of a packet with a zero-size payload is considered unexpected, and therefore, such packets should be silently discarded. This patch resolved this issue by checking payload size before calling each message type handler codes. Fixes: 6a2968aa ("NFC: basic NCI protocol implementation") Reported-and-tested-by: <syzbot+7ea9413ea6749baf5574@syzkaller.appspotmail.com> Reported-and-tested-by: <syzbot+29b5ca705d2e0f4a44d2@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=7ea9413ea6749baf5574 [1] Closes: https://syzkaller.appspot.com/bug?extid=29b5ca705d2e0f4a44d2 [2] Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com> Reviewed-by: Jeremy Cline <jeremy@jcline.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
parent
cba9ffdb
-
mentioned in commit ac68d9fa
-
mentioned in commit 11387b2e
-
mentioned in commit 03fe2596
-
mentioned in commit 19e35f24
-
mentioned in commit e8c8e0d0
-
mentioned in commit 8d65890c
-
mentioned in commit 20c4691a
-
mentioned in commit 46e72ebc
-
mentioned in commit 406cfac9
-
mentioned in commit 8f02d494
-
mentioned in commit c6c938ef
-
mentioned in commit f80b786a
-
mentioned in commit 0f26983c
-
mentioned in commit 728fb8b3
-
mentioned in commit 485ded86
-
mentioned in commit 2271803d
-
mentioned in commit db58c41b
Please register or sign in to comment