forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-10-22 8ac6c7a54ed1b98d142dce24b11c6de6a1e239a5 
 kernel/net/nfc/nci/ntf.c
....@@ -1,3 +1,4 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
12 /*
23  *  The NFC Controller Interface is the communication protocol between an
34  *  NFC Controller (NFCC) and a Device Host (DH).
....@@ -10,19 +11,6 @@
1011  *  Acknowledgements:
1112  *  This file is based on hci_event.c, which was written
1213  *  by Maxim Krasnyansky.
13
- *
14
- *  This program is free software; you can redistribute it and/or modify
15
- *  it under the terms of the GNU General Public License version 2
16
- *  as published by the Free Software Foundation
17
- *
18
- *  This program is distributed in the hope that it will be useful,
19
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
20
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
21
- *  GNU General Public License for more details.
22
- *
23
- *  You should have received a copy of the GNU General Public License
24
- *  along with this program; if not, see <http://www.gnu.org/licenses/>.
25
- *
2614  */
2715 
2816 #define pr_fmt(fmt) KBUILD_MODNAME ": %s: " fmt, __func__
....@@ -230,6 +218,8 @@
230218 		target->sens_res = nfca_poll->sens_res;
231219 		target->sel_res = nfca_poll->sel_res;
232220 		target->nfcid1_len = nfca_poll->nfcid1_len;
221
+		if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1))
222
+			return -EPROTO;
233223 		if (target->nfcid1_len > 0) {
234224 			memcpy(target->nfcid1, nfca_poll->nfcid1,
235225 			       target->nfcid1_len);
....@@ -238,6 +228,8 @@
238228 		nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
239229 
240230 		target->sensb_res_len = nfcb_poll->sensb_res_len;
231
+		if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res))
232
+			return -EPROTO;
241233 		if (target->sensb_res_len > 0) {
242234 			memcpy(target->sensb_res, nfcb_poll->sensb_res,
243235 			       target->sensb_res_len);
....@@ -246,6 +238,8 @@
246238 		nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
247239 
248240 		target->sensf_res_len = nfcf_poll->sensf_res_len;
241
+		if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res))
242
+			return -EPROTO;
249243 		if (target->sensf_res_len > 0) {
250244 			memcpy(target->sensf_res, nfcf_poll->sensf_res,
251245 			       target->sensf_res_len);