llcp_add_tlv() appends TLV data to an skb using skb_put_data()
without first verifying that sufficient tailroom is available.

Add a tailroom check to avoid writing past end of the skb when
building LLCP PDUs.

Signed-off-by: Sam Swicegood <sam@gib.games>
---
 net/nfc/llcp_commands.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index b652323bc2c1..10acc5da954f 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -300,9 +300,10 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu,
 static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv,
 				    u8 tlv_length)
 {
-	/* XXX Add an skb length check */
+	if (!pdu || !tlv)
+		return NULL;
 
-	if (tlv == NULL)
+	if (skb_tailroom(pdu) < tlv_length)
 		return NULL;
 
 	skb_put_data(pdu, tlv, tlv_length);
-- 
2.43.0