nfc: nci: fix the UAF of rf_conn_info object
authorLin Ma <linma@zju.edu.cn>
Thu, 7 Oct 2021 17:44:30 +0000 (19:44 +0200)
committerDavid S. Miller <davem@davemloft.net>
Fri, 8 Oct 2021 16:24:32 +0000 (17:24 +0100)
The nci_core_conn_close_rsp_packet() function will release the conn_info
with given conn_id. However, it needs to set the rf_conn_info to NULL to
prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger
the UAF.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/nfc/nci/rsp.c

index a2e72c0038050dee96fbb865b3df504d31338249..b911ab78bed9aa14e30ea670e978987d7f827bd1 100644 (file)
@@ -334,6 +334,8 @@ static void nci_core_conn_close_rsp_packet(struct nci_dev *ndev,
                                                         ndev->cur_conn_id);
                if (conn_info) {
                        list_del(&conn_info->list);
+                       if (conn_info == ndev->rf_conn_info)
+                               ndev->rf_conn_info = NULL;
                        devm_kfree(&ndev->nfc_dev->dev, conn_info);
                }
        }