Followup to "nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION" #cip


theflamefire89@...
 

Hi all,
I noticed that the mentioned patch (https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/?h=linux-4.4.y-st&id=b2df16de20b3f2ee6dbaf86b474e1bd87ddd8d51) made it into various CIP branches, e.g. linux-4.4.y-st.
It fixes potential OOB writes.
However it also introduces memory leaks due to the new return statements leaking the allocated `transaction`, i.e. it misses a `devm_kfree(dev, transaction);` in those cases.
Furthermore there is also a logic error and potential OOB read issues which are fixed in various Android kernel forks. See e.g. https://android-review.linaro.org/plugins/gitiles/kernel/hikey-linaro/+/bf7ef8f2d57cd1f5f1846dd58ff9309efad58252

I haven't found patches for that in the upstream kernels and I do not know the policy regarding such issues / not-yet-upstream patches.
Anyway, those issues exist and at least for some there are patches and adding the missing devm_kfree is trivial, so I wanted to make you aware of that.

Thanks,
Flamefire

Join cip-dev@lists.cip-project.org to automatically receive all group messages.