What is the bug we are preventing with this?
On Thu, Jul 12, 2012 at 07:17:33PM +0200, Samuel Ortiz wrote:
> From: Eric Lapuyade <eric.lapuyade@xxxxxxxxx>
>
> Signed-off-by: Eric Lapuyade <eric.lapuyade@xxxxxxxxx>
> Reported-by: Mathias Jeppsson <mathias.jeppsson@xxxxxxxxxxxxxx>
> Signed-off-by: Samuel Ortiz <sameo@xxxxxxxxxxxxxxx>
> ---
> net/nfc/hci/core.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
> index e1a640d..7b1ca7d 100644
> --- a/net/nfc/hci/core.c
> +++ b/net/nfc/hci/core.c
> @@ -170,6 +170,7 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
> struct nfc_target *targets;
> struct sk_buff *atqa_skb = NULL;
> struct sk_buff *sak_skb = NULL;
> + struct sk_buff *uid_skb = NULL;
> int r;
>
> pr_debug("from gate %d\n", gate);
> @@ -205,6 +206,19 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
> targets->sens_res = be16_to_cpu(*(u16 *)atqa_skb->data);
> targets->sel_res = sak_skb->data[0];
>
> + r = nfc_hci_get_param(hdev, NFC_HCI_RF_READER_A_GATE,
> + NFC_HCI_RF_READER_A_UID, &uid_skb);
> + if (r < 0)
> + goto exit;
> +
> + if (uid_skb->len == 0 || uid_skb->len > NFC_NFCID1_MAXSIZE) {
> + r = -EPROTO;
> + goto exit;
> + }
> +
> + memcpy (targets->nfcid1, uid_skb->data, uid_skb->len);
> + targets->nfcid1_len = uid_skb->len;
> +
> if (hdev->ops->complete_target_discovered) {
> r = hdev->ops->complete_target_discovered(hdev, gate,
> targets);
> @@ -240,6 +254,7 @@ exit:
> kfree(targets);
> kfree_skb(atqa_skb);
> kfree_skb(sak_skb);
> + kfree_skb(uid_skb);
>
> return r;
> }
> --
> 1.7.10
>
>
--
John W. Linville Someday the world will need a hero, and you
linville@xxxxxxxxxxxxx might be all we have. Be ready.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
