Commit e285d5bf authored by Suren Baghdasaryan's avatar Suren Baghdasaryan Committed by David S. Miller
Browse files

NFC: Fix the number of pipes 



According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
is 7 bits long which allows for 128 unique pipe IDs. Because
NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
as the max pipe ID, its value should be 128 instead of 127.

nfc_hci_recv_from_llc extracts pipe ID from packet header using
NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
pipes array having only 127 elements and pipe ID of 127 the OOB memory
access will result.

Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: Allen Pais <allen.pais@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarSuren Baghdasaryan <surenb@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 674d9de0

include/net/nfc/hci.h

+1 −1
Original line number Diff line number Diff line
@@ -87,7 +87,7 @@ struct nfc_hci_pipe { 
 * According to specification 102 622 chapter 4.4 Pipes,

 * the pipe identifier is 7 bits long.

 */

#define NFC_HCI_MAX_PIPES		127

#define NFC_HCI_MAX_PIPES		128

struct nfc_hci_init_data {

	u8 gate_count;

	struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES];

CRA Git | Maintained and supported by SUSTech CRA and CCSE