diff options
| -rw-r--r-- | net/nfc/nci/core.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 1bdaf680b488..3c42b149c729 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1471,10 +1471,20 @@ static bool nci_valid_size(struct sk_buff *skb) unsigned int hdr_size = NCI_CTRL_HDR_SIZE; if (skb->len < hdr_size || - !nci_plen(skb->data) || skb->len < hdr_size + nci_plen(skb->data)) { return false; } + + if (!nci_plen(skb->data)) { + /* Allow zero length in proprietary notifications (0x20 - 0x3F). */ + if (nci_opcode_oid(nci_opcode(skb->data)) >= 0x20 && + nci_mt(skb->data) == NCI_MT_NTF_PKT) + return true; + + /* Disallow zero length otherwise. */ + return false; + } + return true; } |