|
|
@@ -310,6 +310,13 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
|
|
|
case ST21NFCA_EVT_CONNECTIVITY:
|
|
|
break;
|
|
|
case ST21NFCA_EVT_TRANSACTION:
|
|
|
+ /*
|
|
|
+ * According to specification etsi 102 622
|
|
|
+ * 11.2.2.4 EVT_TRANSACTION Table 52
|
|
|
+ * Description Tag Length
|
|
|
+ * AID 81 5 to 16
|
|
|
+ * PARAMETERS 82 0 to 255
|
|
|
+ */
|
|
|
if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
|
|
|
skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
|
|
|
return -EPROTO;
|
|
|
@@ -318,8 +325,10 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host,
|
|
|
skb->len - 2, GFP_KERNEL);
|
|
|
|
|
|
transaction->aid_len = skb->data[1];
|
|
|
- memcpy(transaction->aid, &skb->data[2], skb->data[1]);
|
|
|
+ memcpy(transaction->aid, &skb->data[2],
|
|
|
+ transaction->aid_len);
|
|
|
|
|
|
+ /* Check next byte is PARAMETERS tag (82) */
|
|
|
if (skb->data[transaction->aid_len + 2] !=
|
|
|
NFC_EVT_TRANSACTION_PARAMS_TAG)
|
|
|
return -EPROTO;
|
Christophe Ricard