net: nfc: fix bounds checking bugs on "pipe"
This is similar to commit
c1609579a421 ("NFC: Fix possible memory
corruption when handling SHDLC I-Frame commands") and commit
1f596720b2eb
("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
added range checks on "pipe".
The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
It's in the 0-255 range. We're using it as the array index into the
hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
Fixes: 44a23a6c34c2 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
projects / kernel.git / commit