ben at decadent
Jul 9, 2012, 7:31 AM
Post #1 of 1
(23 views)
Permalink
|
|
[ 05/48] NFC: Prevent multiple buffer overflows in NCI
|
|
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Rosenberg <dan.j.rosenberg [at] gmail>
commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
Fix multiple remotely-exploitable stack-based buffer overflows due to
the NCI code pulling length fields directly from incoming frames and
copying too much data into statically-sized arrays.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg [at] gmail>
Cc: security [at] kernel
Cc: Lauro Ramos Venancio <lauro.venancio [at] openbossa>
Cc: Aloisio Almeida Jr <aloisio.almeida [at] openbossa>
Cc: Samuel Ortiz <sameo [at] linux>
Cc: David S. Miller <davem [at] davemloft>
Acked-by: Ilan Elias <ilane [at] ti>
Signed-off-by: Samuel Ortiz <sameo [at] linux>
[.bwh: Backported to 3.2:
- Drop changes to parsing of tech B and tech F parameters
- Various renaming]
Signed-off-by: Ben Hutchings <ben [at] decadent>
---
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_
nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
data += 2;
- nfca_poll->nfcid1_len = *data++;
+ nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1));
nfc_dbg("sens_res 0x%x, nfcid1_len %d",
nfca_poll->sens_res,
@@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_
switch (ntf->rf_interface_type) {
case NCI_RF_INTERFACE_ISO_DEP:
- nfca_poll_iso_dep->rats_res_len = *data++;
+ nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20);
if (nfca_poll_iso_dep->rats_res_len > 0) {
memcpy(nfca_poll_iso_dep->rats_res,
data,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
|
