NFC: Prevent multiple buffer overflows in NCI

commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.

Fix multiple remotely-exploitable stack-based buffer overflows due to
the NCI code pulling length fields directly from incoming frames and
copying too much data into statically-sized arrays.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: security@kernel.org
Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Acked-by: Ilan Elias <ilane@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
[bwh: Backported to 3.2:
 - Drop changes to parsing of tech B and tech F parameters
 - Various renaming]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 96633f5cda4f790d3bae4ecdfa4f3a6435c5797c..12b6a80a5c7164f18e7eb8a90e04eb391ae59419 100644 (file)
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
        nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
        data += 2;
 
-       nfca_poll->nfcid1_len = *data++;
+       nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1));
 
        nfc_dbg("sens_res 0x%x, nfcid1_len %d",
                nfca_poll->sens_res,
@@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
 
        switch (ntf->rf_interface_type) {
        case NCI_RF_INTERFACE_ISO_DEP:
-               nfca_poll_iso_dep->rats_res_len = *data++;
+               nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20);
                if (nfca_poll_iso_dep->rats_res_len > 0) {
                        memcpy(nfca_poll_iso_dep->rats_res,
                                data,