net: nfc: fix bounds checking bugs on "pipe" (a3aefbfe) · Commits · 戴 / test

This is similar to commit ("NFC: Fix possible memory corruption when handling SHDLC I-Frame commands") and commit ("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which added range checks on "pipe". The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work(). It's in the 0-255 range. We're using it as the array index into the hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members. Fixes: ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}") Signed-off-by:

Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:

David S. Miller <davem@davemloft.net>

net/nfc/hci/core.c

+16 −3

Original line number	Diff line number	Diff line
		@@ -181,13 +181,20 @@ exit:
		void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
		struct sk_buff *skb)
		{
		u8 gate = hdev->pipes[pipe].gate;
		u8 status = NFC_HCI_ANY_OK;
		struct hci_create_pipe_resp *create_info;
		struct hci_delete_pipe_noti *delete_info;
		struct hci_all_pipe_cleared_noti *cleared_info;
		u8 gate;

		pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
		pr_debug("from pipe %x cmd %x\n", pipe, cmd);

		if (pipe >= NFC_HCI_MAX_PIPES) {
		status = NFC_HCI_ANY_E_NOK;
		goto exit;
		}

		gate = hdev->pipes[pipe].gate;

		switch (cmd) {
		case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
		@@ -375,8 +382,14 @@ void nfc_hci_event_received(struct nfc_hci_dev *hdev, u8 pipe, u8 event,
		struct sk_buff *skb)
		{
		int r = 0;
		u8 gate = hdev->pipes[pipe].gate;
		u8 gate;

		if (pipe >= NFC_HCI_MAX_PIPES) {
		pr_err("Discarded event %x to invalid pipe %x\n", event, pipe);
		goto exit;
		}

		gate = hdev->pipes[pipe].gate;
		if (gate == NFC_HCI_INVALID_GATE) {
		pr_err("Discarded event %x to unopened pipe %x\n", event, pipe);
		goto exit;

Admin message