NFC: st21nfca: Add condition to make sure atr_req->length is valid. gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for that could lead to a potential kernel oops. We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req) to avoid such situation. Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

commit: 56f1ffcccd784672654918f9214979b4918c2544 [log] [tgz]
author: Christophe Ricard <christophe.ricard@gmail.com> Mon Aug 11 00:04:56 2014 +0200
committer: Samuel Ortiz <sameo@linux.intel.com> Mon Sep 08 00:07:44 2014 +0200
tree: 9a7015cf87cc64844792febb32d0cd8e75124cb3
parent: a51577c9e3c49dbc44c821f9e170b96bbea716e3 [diff]
diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c
index b6de27b..6c09a66 100644
--- a/drivers/nfc/st21nfca/st21nfca_dep.c
+++ b/drivers/nfc/st21nfca/st21nfca_dep.c

@@ -211,6 +211,11 @@
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
+	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+		r = -EPROTO;
+		goto exit;
+	}
+
 	r = st21nfca_tm_send_atr_res(hdev, atr_req);
 	if (r)
 		goto exit;
commit	56f1ffcccd784672654918f9214979b4918c2544	[log] [tgz]
author	Christophe Ricard <christophe.ricard@gmail.com>	Mon Aug 11 00:04:56 2014 +0200
committer	Samuel Ortiz <sameo@linux.intel.com>	Mon Sep 08 00:07:44 2014 +0200
tree	9a7015cf87cc64844792febb32d0cd8e75124cb3
parent	a51577c9e3c49dbc44c821f9e170b96bbea716e3 [diff]