Merge "ANDROID: HID: debug: check length in hid_debug_events_read() before copy_to_user()" into android-chromeos-dragon-3.18

commit: d0caa6a27febd6319956b93e5b8d06e45fe5ccbc [log] [tgz]
author: David Lin <dtwlin@google.com> Fri Jul 13 22:36:04 2018 +0000
committer: Android Partner Code Review <android-gerrit-partner@google.com> Fri Jul 13 22:36:04 2018 +0000
tree: 1b9a3565d16cd3057944f0f85a3dae9d63cb2f45
parent: f0205d71f86d40e0cd7003c2223a166d87095964 [diff]
parent: 5ed14fbc1ae9991ea2c11c037c33451fc7957a39 [diff]
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index c4da0c2..d539d12 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c

@@ -149,6 +149,10 @@
 
 	pr_debug("uri: %s, len: %zu\n", uri, uri_len);
 
+	/* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
+	if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
+		return NULL;
+
 	sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
 	if (sdreq == NULL)
 		return NULL;

diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index 43cb1c1..d44369e 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c

@@ -60,7 +60,8 @@
 };
 
 static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
-	[NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
+	[NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
+			       .len = U8_MAX - 4 },
 	[NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
 };
commit	d0caa6a27febd6319956b93e5b8d06e45fe5ccbc	[log] [tgz]
author	David Lin <dtwlin@google.com>	Fri Jul 13 22:36:04 2018 +0000
committer	Android Partner Code Review <android-gerrit-partner@google.com>	Fri Jul 13 22:36:04 2018 +0000
tree	1b9a3565d16cd3057944f0f85a3dae9d63cb2f45
parent	f0205d71f86d40e0cd7003c2223a166d87095964 [diff]
parent	5ed14fbc1ae9991ea2c11c037c33451fc7957a39 [diff]