]> git.baikalelectronics.ru Git - kernel.git/commitdiff
nfc: nci: fix the UAF of rf_conn_info object
authorLin Ma <linma@zju.edu.cn>
Thu, 7 Oct 2021 17:44:30 +0000 (19:44 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 27 Oct 2021 07:54:28 +0000 (09:54 +0200)
commit 1b1499a817c90fd1ce9453a2c98d2a01cca0e775 upstream.

The nci_core_conn_close_rsp_packet() function will release the conn_info
with given conn_id. However, it needs to set the rf_conn_info to NULL to
prevent other routines like nci_rf_intf_activated_ntf_packet() to trigger
the UAF.

Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/nfc/nci/rsp.c

index a48297b79f34fb05cedf8919215e78312a4e2a34..b0ed2b47ac43700893e05c169f5ca9e10bb406ad 100644 (file)
@@ -277,6 +277,8 @@ static void nci_core_conn_close_rsp_packet(struct nci_dev *ndev,
                                                         ndev->cur_conn_id);
                if (conn_info) {
                        list_del(&conn_info->list);
+                       if (conn_info == ndev->rf_conn_info)
+                               ndev->rf_conn_info = NULL;
                        devm_kfree(&ndev->nfc_dev->dev, conn_info);
                }
        }