1 files changed, 11 insertions, 5 deletions

diff --git a/drivers/nfc/st21nfcb/st21nfcb_se.c b/drivers/nfc/st21nfcb/st21nfcb_se.c
index 7c82e9d..24862a5 100644
--- a/drivers/nfc/st21nfcb/st21nfcb_se.c
+++ b/drivers/nfc/st21nfcb/st21nfcb_se.c
@@ -321,6 +321,12 @@ static int st21nfcb_hci_connectivity_event_received(struct nci_dev *ndev,
 
 	break;
 	case ST21NFCB_EVT_TRANSACTION:
+		/* According to specification etsi 102 622
+		 * 11.2.2.4 EVT_TRANSACTION Table 52
+		 * Description  Tag     Length
+		 * AID          81      5 to 16
+		 * PARAMETERS   82      0 to 255
+		 */
 		if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
 		    skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
 			return -EPROTO;
@@ -329,8 +335,9 @@ static int st21nfcb_hci_connectivity_event_received(struct nci_dev *ndev,
 					    skb->len - 2, GFP_KERNEL);
 
 		transaction->aid_len = skb->data[1];
-		memcpy(transaction->aid, &skb->data[2], skb->data[1]);
+		memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
 
+		/* Check next byte is PARAMETERS tag (82) */
 		if (skb->data[transaction->aid_len + 2] !=
 		    NFC_EVT_TRANSACTION_PARAMS_TAG)
 			return -EPROTO;
@@ -340,6 +347,7 @@ static int st21nfcb_hci_connectivity_event_received(struct nci_dev *ndev,
 		       transaction->aid_len + 4, transaction->params_len);
 
 		r = nfc_se_transaction(ndev->nfc_dev, host, transaction);
+		break;
 	default:
 		return 1;
 	}
@@ -542,14 +550,12 @@ static int st21nfcb_hci_network_init(struct nci_dev *ndev)
 
 	r = nci_hci_dev_session_init(ndev);
 	if (r != NCI_HCI_ANY_OK)
-		goto exit;
+		goto free_dest_params;
 
 	r = nci_nfcee_mode_set(ndev, ndev->hci_dev->conn_info->id,
 			       NCI_NFCEE_ENABLE);
 	if (r != NCI_STATUS_OK)
-		goto exit;
-
-	return 0;
+		goto free_dest_params;
 
 free_dest_params:
 	kfree(dest_params);