What is the bug we are preventing with this? On Thu, Jul 12, 2012 at 07:17:33PM +0200, Samuel Ortiz wrote: > From: Eric Lapuyade <eric.lapuyade@xxxxxxxxx> > > Signed-off-by: Eric Lapuyade <eric.lapuyade@xxxxxxxxx> > Reported-by: Mathias Jeppsson <mathias.jeppsson@xxxxxxxxxxxxxx> > Signed-off-by: Samuel Ortiz <sameo@xxxxxxxxxxxxxxx> > --- > net/nfc/hci/core.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c > index e1a640d..7b1ca7d 100644 > --- a/net/nfc/hci/core.c > +++ b/net/nfc/hci/core.c > @@ -170,6 +170,7 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate) > struct nfc_target *targets; > struct sk_buff *atqa_skb = NULL; > struct sk_buff *sak_skb = NULL; > + struct sk_buff *uid_skb = NULL; > int r; > > pr_debug("from gate %d\n", gate); > @@ -205,6 +206,19 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate) > targets->sens_res = be16_to_cpu(*(u16 *)atqa_skb->data); > targets->sel_res = sak_skb->data[0]; > > + r = nfc_hci_get_param(hdev, NFC_HCI_RF_READER_A_GATE, > + NFC_HCI_RF_READER_A_UID, &uid_skb); > + if (r < 0) > + goto exit; > + > + if (uid_skb->len == 0 || uid_skb->len > NFC_NFCID1_MAXSIZE) { > + r = -EPROTO; > + goto exit; > + } > + > + memcpy (targets->nfcid1, uid_skb->data, uid_skb->len); > + targets->nfcid1_len = uid_skb->len; > + > if (hdev->ops->complete_target_discovered) { > r = hdev->ops->complete_target_discovered(hdev, gate, > targets); > @@ -240,6 +254,7 @@ exit: > kfree(targets); > kfree_skb(atqa_skb); > kfree_skb(sak_skb); > + kfree_skb(uid_skb); > > return r; > } > -- > 1.7.10 > > -- John W. Linville Someday the world will need a hero, and you linville@xxxxxxxxxxxxx might be all we have. Be ready. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html