From: Simon Horman <horms@kernel.org>
To: Ashutosh Desai <ashutoshdesai993@gmail.com>
Cc: netdev@vger.kernel.org, kuba@kernel.org, edumazet@google.com,
davem@davemloft.net, pabeni@redhat.com, stable@vger.kernel.org,
linux-kernel@vger.kernel.org, david+nfc@ixit.cz
Subject: Re: [PATCH v7] nfc: hci: fix out-of-bounds read in HCP header parsing
Date: Sat, 9 May 2026 11:54:12 +0100 [thread overview]
Message-ID: <20260509105412.GP15617@horms.kernel.org> (raw)
In-Reply-To: <20260505170712.96560-1-ashutoshdesai993@gmail.com>
On Tue, May 05, 2026 at 05:07:12PM +0000, Ashutosh Desai wrote:
> Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
> packet->header from skb->data at function entry without first checking
> that the buffer holds at least one byte. A malicious NFC peer can send
> a 0-byte HCP frame that passes through the SHDLC layer and reaches
> these functions, causing an out-of-bounds heap read of packet->header.
> The same 0-byte frame, if queued as a non-final fragment, also causes
> the reassembly loop to underflow msg_len to UINT_MAX, triggering
> skb_over_panic() when the reassembled skb is written.
>
> Fix this by adding a pskb_may_pull() check at the entry of each
> function before packet->header is first accessed. The existing
> pskb_may_pull() checks before the reassembled hcp_skb is cast to
> struct hcp_packet remain in place to guard the 2-byte HCP message
> header.
>
> Fixes: 8b8d2e08bf0d ("NFC: HCI support")
> Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
> Cc: stable@vger.kernel.org
> Reviewed-by: Simon Horman <horms@kernel.org>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
FTR: There is an AI-generated review of this patch available on sashiko.dev.
It seems to me that all of the issues flagged there are pre-existing and
need not impede progress of this patch.
prev parent reply other threads:[~2026-05-09 10:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 17:07 [PATCH v7] nfc: hci: fix out-of-bounds read in HCP header parsing Ashutosh Desai
2026-05-09 10:54 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260509105412.GP15617@horms.kernel.org \
--to=horms@kernel.org \
--cc=ashutoshdesai993@gmail.com \
--cc=davem@davemloft.net \
--cc=david+nfc@ixit.cz \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.