Re: [External] : Re: [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

[Denis Efremov]

Hi,

On 6/2/22 20:12, Pavel Machek wrote:
> Hi!
> 
>> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
>>
>> It appears that there are some buffer overflows in EVT_TRANSACTION.
>> This happens because the length parameters that are passed to memcpy
>> come directly from skb->data and are not guarded in any way.
>>
>> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx>
>> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
>> Signed-off-by: Denis Efremov <denis.e.efremov@xxxxxxxxxx>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> 
> It seems that this patch causes an memory leak, transaction does not
> seem to be freed in the error paths.
> 
> (I also wonder if the skb should be freed in the error paths...?)
> 
> Reported-by: <theflamefire89@xxxxxxxxx>

Same for upstream code and it looks like the problem existed even
before this patch. I'll prepare an upstream patch and cc it to stable.

Thanks,
Denis