From: Jakub Kicinski <kuba@kernel.org>
To: ian.ray@gehealthcare.com
Cc: Jakub Kicinski <kuba@kernel.org>,
ryasuoka@redhat.com, jeremy@jcline.org, krzk@kernel.org,
netdev@vger.kernel.org, davem@davemloft.net,
linux-kernel@vger.kernel.org, horms@kernel.org,
pabeni@redhat.com, edumazet@google.com
Subject: Re: nfc: nci: Fix zero-length proprietary OIDs
Date: Fri, 20 Feb 2026 13:34:19 -0800 [thread overview]
Message-ID: <20260220213419.3181677-1-kuba@kernel.org> (raw)
In-Reply-To: <20260220112536.100017-1-ian.ray@gehealthcare.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
nfc: nci: Fix zero-length proprietary OIDs
This patch allows zero-length payloads for proprietary OIDs (0x20-0x3F)
to support the NXP NCI_RF_TXLDO_ERROR_NTF notification case.
> diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
> index e419e020a70a..78da0fb9ef3f 100644
> --- a/net/nfc/nci/core.c
> +++ b/net/nfc/nci/core.c
> @@ -1482,10 +1482,16 @@ static bool nci_valid_size(struct sk_buff *skb)
> unsigned int hdr_size = NCI_CTRL_HDR_SIZE;
>
> if (skb->len < hdr_size ||
> - !nci_plen(skb->data) ||
> skb->len < hdr_size + nci_plen(skb->data)) {
> return false;
> }
> +
> + /* Require non-zero length for standard OIDs (0x00 - 0x1F).
> + * But allow zero length in the proprietary range (0x20 - 0x3F). */
> + if (!nci_plen(skb->data))
> + if (nci_opcode_oid(nci_opcode(skb->data)) <= 0x1F)
> + return false;
Does this validation logic create a buffer over-read vulnerability in the
Samsung s3fwrn5 driver?
The patch allows zero-length payloads for any proprietary OID (0x20-0x3F)
without distinguishing between notification (NTF) and response (RSP)
message types. The s3fwrn5 driver registers RSP handlers for proprietary
OIDs 0x22, 0x26, 0x27, and 0x28 that all unconditionally read skb->data[0]:
drivers/nfc/s3fwrn5/nci.c:s3fwrn5_nci_prop_rsp() {
__u8 status = skb->data[0]; // No length check
nci_req_complete(ndev, status);
return 0;
}
If hardware sends a malformed zero-length RSP packet with one of these
proprietary OIDs, the validation would pass (since OID > 0x1F), then
nci_rsp_packet() calls skb_pull(skb, NCI_CTRL_HDR_SIZE) leaving
skb->len = 0, and s3fwrn5_nci_prop_rsp() accesses skb->data[0] on a
zero-length buffer.
The commit message justifies allowing zero-length for the NXP NTF case
(OID 0x23), which has a handler that doesn't access skb data. But the
implementation applies to ALL proprietary OIDs including RSP messages.
Would it be safer to either:
1) Restrict the zero-length exception to notification packets only
2) Check that all proprietary OID handlers can safely handle zero-length
3) Add a length check before skb->data[0] access in s3fwrn5_nci_prop_rsp()
--
pw-bot: cr
next prev parent reply other threads:[~2026-02-20 21:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 11:25 [PATCH] nfc: nci: Fix zero-length proprietary OIDs Ian Ray
2026-02-20 21:34 ` Jakub Kicinski [this message]
2026-02-23 7:26 ` Ian Ray
2026-02-20 21:36 ` [PATCH] " Jakub Kicinski
2026-02-23 7:29 ` Ian Ray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260220213419.3181677-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=ian.ray@gehealthcare.com \
--cc=jeremy@jcline.org \
--cc=krzk@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryasuoka@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.