]>
Commit | Line | Data |
---|---|---|
0ee3da53 GKH |
1 | From foo@baz Sat Apr 20 16:43:09 CEST 2019 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Wed, 3 Apr 2019 10:13:51 +0300 | |
4 | Subject: nfc: nci: Potential off by one in ->pipes[] array | |
5 | ||
6 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
7 | ||
8 | [ Upstream commit 6491d698396fd5da4941980a35ca7c162a672016 ] | |
9 | ||
10 | This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes") | |
11 | where we changed NFC_HCI_MAX_PIPES from 127 to 128. | |
12 | ||
13 | As the comment next to the define explains, the pipe identifier is 7 | |
14 | bits long. The highest possible pipe is 127, but the number of possible | |
15 | pipes is 128. As the code is now, then there is potential for an | |
16 | out of bounds array access: | |
17 | ||
18 | net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one? | |
19 | 'ndev->hci_dev->pipes[pipe]' '0-127 == 127' | |
20 | ||
21 | Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support") | |
22 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
24 | --- | |
25 | include/net/nfc/nci_core.h | 2 +- | |
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
27 | ||
28 | --- a/include/net/nfc/nci_core.h | |
29 | +++ b/include/net/nfc/nci_core.h | |
30 | @@ -166,7 +166,7 @@ struct nci_conn_info { | |
31 | * According to specification 102 622 chapter 4.4 Pipes, | |
32 | * the pipe identifier is 7 bits long. | |
33 | */ | |
34 | -#define NCI_HCI_MAX_PIPES 127 | |
35 | +#define NCI_HCI_MAX_PIPES 128 | |
36 | ||
37 | struct nci_hci_gate { | |
38 | u8 gate; |