Patch "nfc/nci: Add the inconsistency check between the input data length and count" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    nfc/nci: Add the inconsistency check between the input data length and count

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfc-nci-add-the-inconsistency-check-between-the-inpu.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3b4e469b8ddb2c9b1c998313694038f092c18da4
Author: Edward Adam Davis <eadavis@xxxxxx>
Date:   Tue May 28 11:12:31 2024 +0800

    nfc/nci: Add the inconsistency check between the input data length and count
    
    [ Upstream commit 068648aab72c9ba7b0597354ef4d81ffaac7b979 ]
    
    write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf)
    
    Syzbot constructed a write() call with a data length of 3 bytes but a count value
    of 15, which passed too little data to meet the basic requirements of the function
    nci_rf_intf_activated_ntf_packet().
    
    Therefore, increasing the comparison between data length and count value to avoid
    problems caused by inconsistent data length and count.
    
    Reported-and-tested-by: syzbot+71bfed2b2bcea46c98f2@xxxxxxxxxxxxxxxxxxxxxxxxx
    Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
index 85c06dbb2c449..9fffd4421ad5b 100644
--- a/drivers/nfc/virtual_ncidev.c
+++ b/drivers/nfc/virtual_ncidev.c
@@ -121,6 +121,10 @@ static ssize_t virtual_ncidev_write(struct file *file,
 		kfree_skb(skb);
 		return -EFAULT;
 	}
+	if (strnlen(skb->data, count) != count) {
+		kfree_skb(skb);
+		return -EINVAL;
+	}
 
 	nci_recv_frame(ndev, skb);
 	return count;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux