On Mon, Jun 6, 2022 at 7:57 PM Martin Faltesek <mfaltesek@xxxxxxxxxx> wrote:
>
> The first validation check for EVT_TRANSACTION has two different checks
> tied together with logical AND. One is a check for minimum packet length,
> and the other is for a valid aid_tag. If either condition is true (fails),
> then an error should be triggered. The fix is to change && to ||.
>
> Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Martin Faltesek <mfaltesek@xxxxxxxxxx>
Reviewed-by: Guenter Roeck <groeck@xxxxxxxxxxxx>
> ---
> drivers/nfc/st21nfca/se.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
> index 7e213f8ddc98..9645777f2544 100644
> --- a/drivers/nfc/st21nfca/se.c
> +++ b/drivers/nfc/st21nfca/se.c
> @@ -315,7 +315,7 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
> * AID 81 5 to 16
> * PARAMETERS 82 0 to 255
> */
> - if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
> + if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
> skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
> return -EPROTO;
>
> --
> 2.36.1.255.ge46751e96f-goog
>
