nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling

commit 996419e059 upstream.

Error paths do not free previously allocated memory. Add devm_kfree() to
those failure paths.

Fixes: 26fc6c7f02 ("NFC: st21nfca: Add HCI transaction event support")
Fixes: 4fbcc1a4cb ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Faltesek <mfaltesek@google.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Martin Faltesek 2022-06-06 21:57:28 -05:00 committed by Greg Kroah-Hartman
parent 8433965a12
commit db836b9746
1 changed files with 10 additions and 3 deletions

View File

@ -326,22 +326,29 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
transaction->aid_len = skb->data[1];
/* Checking if the length of the AID is valid */
if (transaction->aid_len > sizeof(transaction->aid))
if (transaction->aid_len > sizeof(transaction->aid)) {
devm_kfree(dev, transaction);
return -EINVAL;
}
memcpy(transaction->aid, &skb->data[2],
transaction->aid_len);
/* Check next byte is PARAMETERS tag (82) */
if (skb->data[transaction->aid_len + 2] !=
NFC_EVT_TRANSACTION_PARAMS_TAG)
NFC_EVT_TRANSACTION_PARAMS_TAG) {
devm_kfree(dev, transaction);
return -EPROTO;
}
transaction->params_len = skb->data[transaction->aid_len + 3];
/* Total size is allocated (skb->len - 2) minus fixed array members */
if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
if (transaction->params_len > ((skb->len - 2) -
sizeof(struct nfc_evt_transaction))) {
devm_kfree(dev, transaction);
return -EINVAL;
}
memcpy(transaction->params, skb->data +
transaction->aid_len + 4, transaction->params_len);