From 56f1ffcccd784672654918f9214979b4918c2544 Mon Sep 17 00:00:00 2001
From: Christophe Ricard <christophe.ricard@gmail.com>
Date: Mon, 11 Aug 2014 00:04:56 +0200
Subject: [PATCH] NFC: st21nfca: Add condition to make sure atr_req->length is
 valid.

gb_len in st21nfca_tm_send_atr_res can be negative. Not checking for
that could lead to a potential kernel oops.
We now make sure that atr_req->length > sizeof(struct st21nfca_atr_req)
to avoid such situation.

Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
---
 drivers/nfc/st21nfca/st21nfca_dep.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c
index b6de27b5011d..6c09a66d9a1d 100644
--- a/drivers/nfc/st21nfca/st21nfca_dep.c
+++ b/drivers/nfc/st21nfca/st21nfca_dep.c
@@ -211,6 +211,11 @@ static int st21nfca_tm_recv_atr_req(struct nfc_hci_dev *hdev,
 
 	atr_req = (struct st21nfca_atr_req *)skb->data;
 
+	if (atr_req->length < sizeof(struct st21nfca_atr_req)) {
+		r = -EPROTO;
+		goto exit;
+	}
+
 	r = st21nfca_tm_send_atr_res(hdev, atr_req);
 	if (r)
 		goto exit;
-- 
2.34.1