Skip to content

Commit

Permalink
NFC: nci: fix possible crash in nci_core_conn_create
Browse files Browse the repository at this point in the history 
If the number of destination speific parameters supplied is 0
the call will fail. If the first destination specific parameter
does not have a value, curr_id will be set to 0.

Signed-off-by: Robert Dolca <[email protected]>
Signed-off-by: Samuel Ortiz <[email protected]>
  • Loading branch information
Robert Dolca authored and Samuel Ortiz committed Oct 25, 2015
1 parent 22e4bd0 commit caa575a
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion net/nfc/nci/core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -602,12 +602,19 @@ int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
if (!cmd)
return -ENOMEM;

if (!number_destination_params)
return -EINVAL;

cmd->destination_type = destination_type;
cmd->number_destination_params = number_destination_params;
memcpy(cmd->params, params, params_len);

data.cmd = cmd;
ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];

if (params->length > 0)
ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];
else
ndev->cur_id = 0;

r = __nci_request(ndev, nci_core_conn_create_req,
(unsigned long)&data,
Expand Down

0 comments on commit caa575a

Please sign in to comment.