NFC: microread: Potential overflows in microread_target_discovered()
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 1 Sep 2014 17:27:29 +0000 (20:27 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 5 Oct 2014 21:52:18 +0000 (14:52 -0700)
commit d07f1e8600ccb885c8f4143402b8912f7d827bcb upstream.

Smatch says that skb->data is untrusted so we need to check to make sure
that the memcpy() doesn't overflow.

Fixes: cfad1ba87150 ('NFC: Initial support for Inside Secure microread')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/nfc/microread/microread.c

index f868333..963a4a5 100644 (file)
@@ -501,9 +501,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate,
                targets->sens_res =
                         be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]);
                targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK];
-               memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
-                      skb->data[MICROREAD_EMCF_A_LEN]);
                targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN];
+               if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
+                       r = -EINVAL;
+                       goto exit_free;
+               }
+               memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID],
+                      targets->nfcid1_len);
                break;
        case MICROREAD_GATE_ID_MREAD_ISO_A_3:
                targets->supported_protocols =
@@ -511,9 +515,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate,
                targets->sens_res =
                         be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]);
                targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK];
-               memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
-                      skb->data[MICROREAD_EMCF_A3_LEN]);
                targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN];
+               if (targets->nfcid1_len > sizeof(targets->nfcid1)) {
+                       r = -EINVAL;
+                       goto exit_free;
+               }
+               memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID],
+                      targets->nfcid1_len);
                break;
        case MICROREAD_GATE_ID_MREAD_ISO_B:
                targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK;