On Tue, Aug 14, 2018 at 9:57 AM, Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
> On Tue, Aug 14, 2018 at 2:54 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>> Thanks. This is great. I'm so glad these are finally getting fixed.
>>
>> Do we need to fix nfc_hci_msg_rx_work() and nfc_hci_recv_from_llc() as
>> well? In nfc_hci_recv_from_llc() we allow pipe to be NFC_HCI_FRAGMENT
>> (0x7f) so that's one element beyond the end of the array and the
>> NFC_HCI_HCP_RESPONSE isn't checked.
>>
>> Also nci_hci_msg_rx_work() and nci_hci_data_received_cb() use
>> NCI_HCP_MSG_GET_PIPE() so those could be off by one.
>
> Good point. From hci.h:
>
> /*
> * According to specification 102 622 chapter 4.4 Pipes,
> * the pipe identifier is 7 bits long.
> */
> #define NFC_HCI_MAX_PIPES 127
>
> And then:
>
> struct nfc_hci_dev {
> ...
> struct nfc_hci_pipe pipes[NFC_HCI_MAX_PIPES];
> ...
> }
>
> I think the correct fix would be to change it to:
>
> struct nfc_hci_pipe pipes[NFC_HCI_MAX_PIPES + 1];
>
> What do you think?
>
Just to be clear, this would fix the problem Dan described in his
reply and it should be implemented in a separate patch. The original
fix is still valid.
>>
>> regards,
>> dan carpenter
>>
