NFC: nci: fix possible crash in nci_core_conn_create
authorRobert Dolca <robert.dolca@intel.com>
Thu, 22 Oct 2015 09:11:40 +0000 (12:11 +0300)
committerSamuel Ortiz <sameo@linux.intel.com>
Sun, 25 Oct 2015 19:29:05 +0000 (20:29 +0100)
If the number of destination speific parameters supplied is 0
the call will fail. If the first destination specific parameter
does not have a value, curr_id will be set to 0.

Signed-off-by: Robert Dolca <robert.dolca@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
net/nfc/nci/core.c

index f66a5da85ddbabddb15abaa7a6dbcb79baa7f8f0..9d5f7a2b1d036bb66223ed4c49d989cecfe66a57 100644 (file)
@@ -602,12 +602,19 @@ int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
        if (!cmd)
                return -ENOMEM;
 
+       if (!number_destination_params)
+               return -EINVAL;
+
        cmd->destination_type = destination_type;
        cmd->number_destination_params = number_destination_params;
        memcpy(cmd->params, params, params_len);
 
        data.cmd = cmd;
-       ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];
+
+       if (params->length > 0)
+               ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX];
+       else
+               ndev->cur_id = 0;
 
        r = __nci_request(ndev, nci_core_conn_create_req,
                          (unsigned long)&data,