On Tue, Aug 14, 2018 at 3:35 PM, Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
> According to ETSI TS 102 622 specification chapter 4.4 pipe identifier
> is 7 bits long which allows for 128 unique pipe IDs. Because
> NFC_HCI_MAX_PIPES is used as the number of pipes supported and not
> as the max pipe ID, its value should be 128 instead of 127.
>
> nfc_hci_recv_from_llc extracts pipe ID from packet header using
> NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127.
> Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With
> pipes array having only 127 elements and pipe ID of 127 the OOB memory
> access will result.
>
> Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
> ---
> include/net/nfc/hci.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/net/nfc/hci.h b/include/net/nfc/hci.h
> index 316694dafa5b..008f466d1da7 100644
> --- a/include/net/nfc/hci.h
> +++ b/include/net/nfc/hci.h
> @@ -87,7 +87,7 @@ struct nfc_hci_pipe {
> * According to specification 102 622 chapter 4.4 Pipes,
> * the pipe identifier is 7 bits long.
> */
> -#define NFC_HCI_MAX_PIPES 127
> +#define NFC_HCI_MAX_PIPES 128
> struct nfc_hci_init_data {
> u8 gate_count;
> struct nfc_hci_gate gates[NFC_HCI_MAX_CUSTOM_GATES];
> --
> 2.18.0.865.gffc8e1a3cd6-goog
>
--
Kees Cook
Pixel Security
