nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
authorKang Chen <void0red@gmail.com>
Mon, 27 Feb 2023 09:30:37 +0000 (17:30 +0800)
committerPaolo Abeni <pabeni@redhat.com>
Tue, 28 Feb 2023 10:48:28 +0000 (11:48 +0100)
devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause
out-of-bounds write in device_property_read_u8_array later.

Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver")
Signed-off-by: Kang Chen <void0red@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230227093037.907654-1-void0red@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
drivers/nfc/fdp/i2c.c

index 2d53e0f88d2f95a6cf0f781285ba499279f9f33c..1e0f2297f9c665820aabb2093ebd3c71fc8325aa 100644 (file)
@@ -247,6 +247,9 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
                                           len, sizeof(**fw_vsc_cfg),
                                           GFP_KERNEL);
 
+               if (!*fw_vsc_cfg)
+                       goto alloc_err;
+
                r = device_property_read_u8_array(dev, FDP_DP_FW_VSC_CFG_NAME,
                                                  *fw_vsc_cfg, len);
 
@@ -260,6 +263,7 @@ vsc_read_err:
                *fw_vsc_cfg = NULL;
        }
 
+alloc_err:
        dev_dbg(dev, "Clock type: %d, clock frequency: %d, VSC: %s",
                *clock_type, *clock_freq, *fw_vsc_cfg != NULL ? "yes" : "no");
 }