diff options
Diffstat (limited to 'recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch')
-rw-r--r-- | recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch new file mode 100644 index 00000000..10ae6473 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From e7d858dec1d8cf3c283019ff51adae14b8be9388 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dan Rosenberg <dan.j.rosenberg@gmail.com> | ||
3 | Date: Mon, 25 Jun 2012 16:05:27 +0200 | ||
4 | Subject: [PATCH 05/49] NFC: Prevent multiple buffer overflows in NCI | ||
5 | |||
6 | commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream. | ||
7 | |||
8 | Fix multiple remotely-exploitable stack-based buffer overflows due to | ||
9 | the NCI code pulling length fields directly from incoming frames and | ||
10 | copying too much data into statically-sized arrays. | ||
11 | |||
12 | Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> | ||
13 | Cc: security@kernel.org | ||
14 | Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> | ||
15 | Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> | ||
16 | Cc: Samuel Ortiz <sameo@linux.intel.com> | ||
17 | Cc: David S. Miller <davem@davemloft.net> | ||
18 | Acked-by: Ilan Elias <ilane@ti.com> | ||
19 | Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> | ||
20 | [bwh: Backported to 3.2: | ||
21 | - Drop changes to parsing of tech B and tech F parameters | ||
22 | - Various renaming] | ||
23 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
24 | --- | ||
25 | net/nfc/nci/ntf.c | 4 ++-- | ||
26 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c | ||
29 | index 96633f5..12b6a80 100644 | ||
30 | --- a/net/nfc/nci/ntf.c | ||
31 | +++ b/net/nfc/nci/ntf.c | ||
32 | @@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev, | ||
33 | nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); | ||
34 | data += 2; | ||
35 | |||
36 | - nfca_poll->nfcid1_len = *data++; | ||
37 | + nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1)); | ||
38 | |||
39 | nfc_dbg("sens_res 0x%x, nfcid1_len %d", | ||
40 | nfca_poll->sens_res, | ||
41 | @@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev, | ||
42 | |||
43 | switch (ntf->rf_interface_type) { | ||
44 | case NCI_RF_INTERFACE_ISO_DEP: | ||
45 | - nfca_poll_iso_dep->rats_res_len = *data++; | ||
46 | + nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20); | ||
47 | if (nfca_poll_iso_dep->rats_res_len > 0) { | ||
48 | memcpy(nfca_poll_iso_dep->rats_res, | ||
49 | data, | ||
50 | -- | ||
51 | 1.7.10 | ||
52 | |||