break;
case ST21NFCB_EVT_TRANSACTION:
+ /* According to specification etsi 102 622
+ * 11.2.2.4 EVT_TRANSACTION Table 52
+ * Description Tag Length
+ * AID 81 5 to 16
+ * PARAMETERS 82 0 to 255
+ */
if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
return -EPROTO;
skb->len - 2, GFP_KERNEL);
transaction->aid_len = skb->data[1];
- memcpy(transaction->aid, &skb->data[2], skb->data[1]);
+ memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
+ /* Check next byte is PARAMETERS tag (82) */
if (skb->data[transaction->aid_len + 2] !=
NFC_EVT_TRANSACTION_PARAMS_TAG)
return -EPROTO;