NFC: Fix possible NULL pointer dereference

If user provided buffer length less than the minimum expectation
in the NFC driver during cold reset use case then it can lead to
NULL pointer deference in memset() API.

Fix possible read overflow during debug print, payload byte is
not present always so only header should be printed.

Change-Id: I3a88bf980d5dc8d227f6938c05d38a67aa661bbe
Signed-off-by: Gaurav Singhal <gsinghal@codeaurora.org>

drivers/nfc/qti/ese_cold_reset.c

@@ -153,7 +153,7 @@ int ese_cold_reset_ioctl(struct nfc_dev *nfc_dev, unsigned long arg)
 		return -EFAULT;
 	}
 
-	nfc_dev->cold_reset.arg = kzalloc(ioctl_arg.buf_size,
+	nfc_dev->cold_reset.arg = kzalloc(sizeof(struct ese_cold_reset_arg),
 							GFP_KERNEL);
 	if (!nfc_dev->cold_reset.arg)
 		return -ENOMEM;
@@ -161,7 +161,7 @@ int ese_cold_reset_ioctl(struct nfc_dev *nfc_dev, unsigned long arg)
 	ret = copy_struct_from_user(nfc_dev->cold_reset.arg,
 				sizeof(struct ese_cold_reset_arg),
 				u64_to_user_ptr(ioctl_arg.buf),
-				ioctl_arg.buf_size);
+				sizeof(struct ese_cold_reset_arg));
 	if (ret) {
 		dev_err(nfc_dev->nfc_device,
 			"ese ioctl arg buffer copy from user failed\n");
@@ -257,11 +257,10 @@ int ese_cold_reset_ioctl(struct nfc_dev *nfc_dev, unsigned long arg)
 		goto err;
 	}
 
-	pr_debug("nfc ese cmd hdr 0x%x 0x%x 0x%x , payload byte0 = 0x%x\n",
+	pr_debug("nfc ese cmd hdr 0x%x 0x%x 0x%x\n",
 				nfc_dev->cold_reset.cmd_buf[0],
 				nfc_dev->cold_reset.cmd_buf[1],
-				nfc_dev->cold_reset.cmd_buf[2],
-				nfc_dev->cold_reset.cmd_buf[3]);
+				nfc_dev->cold_reset.cmd_buf[2]);
 
 	ret = send_ese_cmd(nfc_dev);
 	if (ret <= 0) {