From: Simon Horman <horms@kernel.org>
To: "Lekë Hapçiu" <snowwlake@icloud.com>
Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org,
linux-nfc@lists.01.org, davem@davemloft.net, kuba@kernel.org,
"Lekë Hapçiu" <framemain@outlook.com>
Subject: Re: [PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet_v2()
Date: Thu, 9 Apr 2026 11:17:59 +0100 [thread overview]
Message-ID: <20260409101759.GL469338@kernel.org> (raw)
In-Reply-To: <20260404180049.1304711-1-snowwlake@icloud.com>
On Sat, Apr 04, 2026 at 08:00:49PM +0200, Lekë Hapçiu wrote:
> From: Lekë Hapçiu <framemain@outlook.com>
>
> nci_core_init_rsp_packet_v2() walks the chip-supplied
> supported_rf_interfaces[] flexible array using a plain pointer
> with no bounds check. Each iteration advances supported_rf_interface
> by (1 + 1 + rf_extension_cnt) bytes, where rf_extension_cnt comes
> directly from the chip. A hostile NCI v2 chip can set
> rf_extension_cnt=255 per entry and num_supported_rf_interfaces=4,
> driving the pointer up to ~1028 bytes past the end of the skb into
> adjacent kernel heap.
>
> Add two guards per loop iteration:
> - check that at least 2 bytes remain before reading the interface
> byte and extension count byte;
> - check that sufficient bytes remain for the declared extension
> block before advancing over it.
>
> Also add an upfront sizeof(*rsp) check so that accessing the fixed
> header fields (nfcc_features, max_logical_connections, ...) is safe
> before the loop is reached.
>
> Fixes: bcd684aace34 ("net/nfc/nci: Support NCI 2.x initial sequence")
> Signed-off-by: Lekë Hapçiu <framemain@outlook.com>
I believe that my review of "[PATCH] nfc: nci: fix OOB heap read in
nci_core_init_rsp_packet_v1()" is relevant here.
- https://lore.kernel.org/all/20260408190505.GK469338@kernel.org/
I would appreciate it if you could create a v2 patchset, including
an updated version of this patch and that one.
Thanks!
--
pw-bot: changes-requested
prev parent reply other threads:[~2026-04-09 10:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-04 18:00 [PATCH] nfc: nci: fix OOB heap read in nci_core_init_rsp_packet_v2() Lekë Hapçiu
2026-04-09 10:17 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409101759.GL469338@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=framemain@outlook.com \
--cc=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linux-nfc@lists.01.org \
--cc=netdev@vger.kernel.org \
--cc=snowwlake@icloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.