NFC: st21nfca: Add condition to make sure atr_req->length is valid.

gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for
that could lead to a potential kernel oops.
We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req)
to avoid such situation.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c
index b6de27b5011d0741e806d4312817662b04d16b54..6c09a66d9a1d9dfaa771819321756b6732d9e571 100644 (file)
--- a/drivers/nfc/st21nfca/st21nfca_dep.c
+++ b/drivers/nfc/st21nfca/st21nfca_dep.c
@@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
        atr_req = (struct st21nfca_atr_req *)skb->data;
 
+       if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+               r = -EPROTO;
+               goto exit;
+       }
+
        r = st21nfca_tm_send_atr_res(hdev, atr_req);
        if (r)
                goto exit;