tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'nfc-st-nci-restructure-validating-logic-in-evt_transaction'

Martin Faltesek says:

====================
nfc: st-nci: Restructure validating logic in EVT_TRANSACTION

These are the same 3 patches that were applied in st21nfca here:
https://lore.kernel.org/netdev/20220607025729.1673212-1-mfaltesek@google.com
with a couple minor differences.

st-nci has nearly identical code to that of st21nfca for EVT_TRANSACTION,
except that there are two extra validation checks that are not present
in the st-nci code.

The 3/3 patch as coded for st21nfca pulls those checks in, bringing both
drivers into parity.
====================

Link: https://lore.kernel.org/r/20221122004246.4186422-1-mfaltesek@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski a73e04c2 06ccc8ec

+36 -13
+36 -13
drivers/nfc/st-nci/se.c
··· 312 312 int r = 0; 313 313 struct device *dev = &ndev->nfc_dev->dev; 314 314 struct nfc_evt_transaction *transaction; 315 + u32 aid_len; 316 + u8 params_len; 315 317 316 318 pr_debug("connectivity gate event: %x\n", event); 317 319 ··· 327 325 * Description Tag Length 328 326 * AID 81 5 to 16 329 327 * PARAMETERS 82 0 to 255 328 + * 329 + * The key differences are aid storage length is variably sized 330 + * in the packet, but fixed in nfc_evt_transaction, and that 331 + * the aid_len is u8 in the packet, but u32 in the structure, 332 + * and the tags in the packet are not included in 333 + * nfc_evt_transaction. 334 + * 335 + * size(b): 1 1 5-16 1 1 0-255 336 + * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4 337 + * mem name: aid_tag(M) aid_len aid params_tag(M) params_len params 338 + * example: 0x81 5-16 X 0x82 0-255 X 330 339 */ 331 - if (skb->len < NFC_MIN_AID_LENGTH + 2 && 332 - skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) 340 + if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) 333 341 return -EPROTO; 334 342 335 - transaction = devm_kzalloc(dev, skb->len - 2, GFP_KERNEL); 343 + aid_len = skb->data[1]; 344 + 345 + if (skb->len < aid_len + 4 || 346 + aid_len > sizeof(transaction->aid)) 347 + return -EPROTO; 348 + 349 + params_len = skb->data[aid_len + 3]; 350 + 351 + /* Verify PARAMETERS tag is (82), and final check that there is 352 + * enough space in the packet to read everything. 353 + */ 354 + if (skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG || 355 + skb->len < aid_len + 4 + params_len) 356 + return -EPROTO; 357 + 358 + transaction = devm_kzalloc(dev, sizeof(*transaction) + 359 + params_len, GFP_KERNEL); 336 360 if (!transaction) 337 361 return -ENOMEM; 338 362 339 - transaction->aid_len = skb->data[1]; 340 - memcpy(transaction->aid, &skb->data[2], transaction->aid_len); 363 + transaction->aid_len = aid_len; 364 + transaction->params_len = params_len; 341 365 342 - /* Check next byte is PARAMETERS tag (82) */ 343 - if (skb->data[transaction->aid_len + 2] != 344 - NFC_EVT_TRANSACTION_PARAMS_TAG) 345 - return -EPROTO; 346 - 347 - transaction->params_len = skb->data[transaction->aid_len + 3]; 348 - memcpy(transaction->params, skb->data + 349 - transaction->aid_len + 4, transaction->params_len); 366 + memcpy(transaction->aid, &skb->data[2], aid_len); 367 + memcpy(transaction->params, &skb->data[aid_len + 4], 368 + params_len); 350 369 351 370 r = nfc_se_transaction(ndev->nfc_dev, host, transaction); 352 371 break;