diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..f5e03f3ff203 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -809,35 +809,61 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (skb->len < sizeof(struct nci_core_reset_ntf)) + goto end; + else + nci_core_reset_ntf_packet(ndev, skb); break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + goto end; + else + nci_core_conn_credits_ntf_packet(ndev, skb); break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (skb->len < 1) + goto end; + else + nci_core_generic_error_ntf_packet(ndev, skb); break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + goto end; + else + nci_core_conn_intf_error_ntf_packet(ndev, skb); break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + // tech specific params are included as unions + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + goto end; + else + nci_rf_discover_ntf_packet(ndev, skb); break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + // tech specific params are included as unions + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + goto end; + else + nci_rf_intf_activated_ntf_packet(ndev, skb); break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + goto end; + else + nci_rf_deactivate_ntf_packet(ndev, skb); break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + goto end; + else + nci_nfcee_discover_ntf_packet(ndev, skb); break; case NCI_OP_RF_NFCEE_ACTION_NTF: