Since commit 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more.

The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct).

For these cases it is only possible to check for minimum packet length.

Fixes: 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data") Cc: stable@vger.kernel.org Signed-off-by: Michael Thalmeier michael.thalmeier@hale.at --- net/nfc/nci/ntf.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index 418b84e2b260..5161e94f067f 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -58,7 +58,8 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, struct nci_conn_info *conn_info; int i;

- if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + /* Minimal packet size for num_entries=1 is 1 x __u8 + 1 x conn_credit_entry */ + if (skb->len < (sizeof(__u8) + sizeof(struct conn_credit_entry))) return -EINVAL;

ntf = (struct nci_core_conn_credit_ntf *)skb->data; @@ -364,7 +365,8 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, const __u8 *data; bool add_target = true;

- if (skb->len < sizeof(struct nci_rf_discover_ntf)) + /* Minimal packet size is 5 if rf_tech_specific_params_len=0 */ + if (skb->len < (5 * sizeof(__u8))) return -EINVAL;

data = skb->data; @@ -596,7 +598,10 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, const __u8 *data; int err = NCI_STATUS_OK;

- if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + /* Minimal packet size is 11 if + * f_tech_specific_params_len=0 and activation_params_len=0 + */ + if (skb->len < (11 * sizeof(__u8))) return -EINVAL;

data = skb->data;