net: nfc: fix bounds checking bugs on "pipe" - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Dan Carpenter <dan.carpenter@oracle.com>	2020-03-04 17:24:31 +0300
committer	David S. Miller <davem@davemloft.net>	2020-03-05 21:32:42 -0800
commit	a3aefbfe45751bf7b338c181b97608e276b5bb73 (patch)
tree	5d11e5ff1d358db10e02ffaa583dc462ad0835a2 /net/bluetooth/a2mp.c
parent	e25d5dbcffae62c9a7fa03517dfa4b8e67670e3d (diff)
download	linux-a3aefbfe45751bf7b338c181b97608e276b5bb73.tar.bz2

net: nfc: fix bounds checking bugs on "pipe"

This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0 ("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which added range checks on "pipe". The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work(). It's in the 0-255 range. We're using it as the array index into the hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members. Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'net/bluetooth/a2mp.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: