1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch
new file mode 100644
index 00000000..10ae6473
--- /dev/null
+++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch
@@ -0,0 +1,52 @@
+From e7d858dec1d8cf3c283019ff51adae14b8be9388 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Date: Mon, 25 Jun 2012 16:05:27 +0200
+Subject: [PATCH 05/49] NFC: Prevent multiple buffer overflows in NCI
+commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
+Fix multiple remotely-exploitable stack-based buffer overflows due to
+the NCI code pulling length fields directly from incoming frames and
+copying too much data into statically-sized arrays.
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Cc: security@kernel.org
+Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
+Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Cc: David S. Miller <davem@davemloft.net>
+Acked-by: Ilan Elias <ilane@ti.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+[bwh: Backported to 3.2:
+ - Drop changes to parsing of tech B and tech F parameters
+ - Various renaming]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/nfc/nci/ntf.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
+index 96633f5..12b6a80 100644
+--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
+@@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
+        nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
+        data += 2;
+ 
+-       nfca_poll->nfcid1_len = *data++;
+       nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1));
+ 
+        nfc_dbg("sens_res 0x%x, nfcid1_len %d",
+                nfca_poll->sens_res,
+@@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
+ 
+        switch (ntf->rf_interface_type) {
+        case NCI_RF_INTERFACE_ISO_DEP:
+-               nfca_poll_iso_dep->rats_res_len = *data++;
+               nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20);
+                if (nfca_poll_iso_dep->rats_res_len > 0) {
+                        memcpy(nfca_poll_iso_dep->rats_res,
+                                data,
+-- 
+1.7.10

diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch new file mode 100644 index 00000000..10ae6473 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0005-NFC-Prevent-multiple-buffer-overflows-in-NCI.patch
@@ -0,0 +1,52 @@
	1	From e7d858dec1d8cf3c283019ff51adae14b8be9388 Mon Sep 17 00:00:00 2001
	2	From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
	3	Date: Mon, 25 Jun 2012 16:05:27 +0200
	4	Subject: [PATCH 05/49] NFC: Prevent multiple buffer overflows in NCI
	5
	6	commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream.
	7
	8	Fix multiple remotely-exploitable stack-based buffer overflows due to
	9	the NCI code pulling length fields directly from incoming frames and
	10	copying too much data into statically-sized arrays.
	11
	12	Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
	13	Cc: security@kernel.org
	14	Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
	15	Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
	16	Cc: Samuel Ortiz <sameo@linux.intel.com>
	17	Cc: David S. Miller <davem@davemloft.net>
	18	Acked-by: Ilan Elias <ilane@ti.com>
	19	Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
	20	[bwh: Backported to 3.2:
	21	- Drop changes to parsing of tech B and tech F parameters
	22	- Various renaming]
	23	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	24	---
	25	net/nfc/nci/ntf.c \| 4 ++--
	26	1 file changed, 2 insertions(+), 2 deletions(-)
	27
	28	diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
	29	index 96633f5..12b6a80 100644
	30	--- a/net/nfc/nci/ntf.c
	31	+++ b/net/nfc/nci/ntf.c
	32	@@ -86,7 +86,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
	33	nfca_poll->sens_res = __le16_to_cpu(((__u16 )data));
	34	data += 2;
	35
	36	- nfca_poll->nfcid1_len = *data++;
	37	+ nfca_poll->nfcid1_len = min_t(__u8, *data++, sizeof(nfca_poll->nfcid1));
	38
	39	nfc_dbg("sens_res 0x%x, nfcid1_len %d",
	40	nfca_poll->sens_res,
	41	@@ -111,7 +111,7 @@ static int nci_rf_activate_nfca_passive_poll(struct nci_dev *ndev,
	42
	43	switch (ntf->rf_interface_type) {
	44	case NCI_RF_INTERFACE_ISO_DEP:
	45	- nfca_poll_iso_dep->rats_res_len = *data++;
	46	+ nfca_poll_iso_dep->rats_res_len = min_t(__u8, *data++, 20);
	47	if (nfca_poll_iso_dep->rats_res_len > 0) {
	48	memcpy(nfca_poll_iso_dep->rats_res,
	49	data,
	50	--
	51	1.7.10
	52