diff options
author | Robert Dolca <robert.dolca@intel.com> | 2015-10-22 12:11:40 +0300 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2015-10-25 20:29:05 +0100 |
commit | caa575a86ec1f177730cafa089d69ab4e424860c (patch) | |
tree | 1470623ae3570e1464697599c8bc8471c0c7f815 /net/nfc | |
parent | 22e4bd09c401905671f3787a8392d269a0ebfa0d (diff) | |
download | op-kernel-dev-caa575a86ec1f177730cafa089d69ab4e424860c.zip op-kernel-dev-caa575a86ec1f177730cafa089d69ab4e424860c.tar.gz |
NFC: nci: fix possible crash in nci_core_conn_create
If the number of destination speific parameters supplied is 0
the call will fail. If the first destination specific parameter
does not have a value, curr_id will be set to 0.
Signed-off-by: Robert Dolca <robert.dolca@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'net/nfc')
-rw-r--r-- | net/nfc/nci/core.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index f66a5da..9d5f7a2 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -602,12 +602,19 @@ int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type, if (!cmd) return -ENOMEM; + if (!number_destination_params) + return -EINVAL; + cmd->destination_type = destination_type; cmd->number_destination_params = number_destination_params; memcpy(cmd->params, params, params_len); data.cmd = cmd; - ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX]; + + if (params->length > 0) + ndev->cur_id = params->value[DEST_SPEC_PARAMS_ID_INDEX]; + else + ndev->cur_id = 0; r = __nci_request(ndev, nci_core_conn_create_req, (unsigned long)&data, |