From 9a3ad2e789ea6a027a8b0d48c88bd716d180f67f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=83=A1=E9=80=B8=E9=A3=9E?= <huyifei11@h-partners.com>
Date: Wed, 20 Apr 2022 11:30:38 +0800
Subject: [PATCH] =?UTF-8?q?=E5=90=8C=E6=AD=A55.10=20CVE=E8=A1=A5=E4=B8=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 胡逸飞 <huyifei11@h-partners.com>
---
 drivers/nfc/st21nfca/se.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 mode change 100644 => 100755 drivers/nfc/st21nfca/se.c

diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
old mode 100644
new mode 100755
index c8bdf078d111..0841e0e370a0
--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -320,6 +320,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
 			return -ENOMEM;
 
 		transaction->aid_len = skb->data[1];
+
+		/* Checking if the length of the AID is valid */
+		if (transaction->aid_len > sizeof(transaction->aid))
+			return -EINVAL;
+
 		memcpy(transaction->aid, &skb->data[2],
 		       transaction->aid_len);
 
@@ -329,6 +334,11 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
 			return -EPROTO;
 
 		transaction->params_len = skb->data[transaction->aid_len + 3];
+
+		/* Total size is allocated (skb->len - 2) minus fixed array members */
+		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+			return -EINVAL;
+
 		memcpy(transaction->params, skb->data +
 		       transaction->aid_len + 4, transaction->params_len);
 
-- 
Gitee