[thirdparty/kernel/stable-queue.git] / releases / 5.0.10 / nfc-nci-potential-off-by-one-in-pipes-array.patch

From foo@baz Sat Apr 20 16:43:09 CEST 2019
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 3 Apr 2019 10:13:51 +0300
Subject: nfc: nci: Potential off by one in ->pipes[] array

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 6491d698396fd5da4941980a35ca7c162a672016 ]

This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes")
where we changed NFC_HCI_MAX_PIPES from 127 to 128.

As the comment next to the define explains, the pipe identifier is 7
bits long.  The highest possible pipe is 127, but the number of possible
pipes is 128.  As the code is now, then there is potential for an
out of bounds array access:

    net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one?
    'ndev->hci_dev->pipes[pipe]' '0-127 == 127'

Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/nfc/nci_core.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -166,7 +166,7 @@ struct nci_conn_info {
  * According to specification 102 622 chapter 4.4 Pipes,
  * the pipe identifier is 7 bits long.
  */
-#define NCI_HCI_MAX_PIPES          127
+#define NCI_HCI_MAX_PIPES          128
 
 struct nci_hci_gate {
 	u8 gate;
Commit	Line	Data
0ee3da53 GKH	1	From foo@baz Sat Apr 20 16:43:09 CEST 2019
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Wed, 3 Apr 2019 10:13:51 +0300
	4	Subject: nfc: nci: Potential off by one in ->pipes[] array
	5
	6	From: Dan Carpenter <dan.carpenter@oracle.com>
	7
	8	[ Upstream commit 6491d698396fd5da4941980a35ca7c162a672016 ]
	9
	10	This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes")
	11	where we changed NFC_HCI_MAX_PIPES from 127 to 128.
	12
	13	As the comment next to the define explains, the pipe identifier is 7
	14	bits long. The highest possible pipe is 127, but the number of possible
	15	pipes is 128. As the code is now, then there is potential for an
	16	out of bounds array access:
	17
	18	net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one?
	19	'ndev->hci_dev->pipes[pipe]' '0-127 == 127'
	20
	21	Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
	22	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	---
	25	include/net/nfc/nci_core.h \| 2 +-
	26	1 file changed, 1 insertion(+), 1 deletion(-)
	27
	28	--- a/include/net/nfc/nci_core.h
	29	+++ b/include/net/nfc/nci_core.h
	30	@@ -166,7 +166,7 @@ struct nci_conn_info {
	31	* According to specification 102 622 chapter 4.4 Pipes,
	32	* the pipe identifier is 7 bits long.
	33	*/
	34	-#define NCI_HCI_MAX_PIPES 127
	35	+#define NCI_HCI_MAX_PIPES 128
	36
	37	struct nci_hci_gate {
	38	u8 gate;