* [PATCH net v3] net: nfc: nci: Fix parameter validation for packet data
@ 2025-12-22 14:31 Michael Thalmeier
2025-12-22 15:21 ` Vadim Fedorenko
0 siblings, 1 reply; 2+ messages in thread
From: Michael Thalmeier @ 2025-12-22 14:31 UTC (permalink / raw)
To: Deepak Sharma, Krzysztof Kozlowski, Vadim Fedorenko, Simon Horman,
Paolo Abeni
Cc: linux-kernel, netdev, Michael Thalmeier, Michael Thalmeier,
stable
Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for
packet data") communication with nci nfc chips is not working any more.
The mentioned commit tries to fix access of uninitialized data, but
failed to understand that in some cases the data packet is of variable
length and can therefore not be compared to the maximum packet length
given by the sizeof(struct).
Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>
---
v3:
- perform complete checks
- replace magic numbers with offsetofend and sizeof
v2:
- Reference correct commit hash
---
net/nfc/nci/ntf.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 418b84e2b260..0190332cf454 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -58,7 +58,7 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
struct nci_conn_info *conn_info;
int i;
- if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
+ if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries))
return -EINVAL;
ntf = (struct nci_core_conn_credit_ntf *)skb->data;
@@ -68,6 +68,10 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
if (ntf->num_entries > NCI_MAX_NUM_CONN)
ntf->num_entries = NCI_MAX_NUM_CONN;
+ if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries) +
+ ntf->num_entries * sizeof(struct conn_credit_entry))
+ return -EINVAL;
+
/* update the credits */
for (i = 0; i < ntf->num_entries; i++) {
ntf->conn_entries[i].conn_id =
@@ -364,7 +368,7 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
const __u8 *data;
bool add_target = true;
- if (skb->len < sizeof(struct nci_rf_discover_ntf))
+ if (skb->len < offsetofend(struct nci_rf_discover_ntf, rf_tech_specific_params_len))
return -EINVAL;
data = skb->data;
@@ -380,6 +384,10 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
pr_debug("rf_tech_specific_params_len %d\n",
ntf.rf_tech_specific_params_len);
+ if (skb->len < (data - skb->data) +
+ ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
+ return -EINVAL;
+
if (ntf.rf_tech_specific_params_len > 0) {
switch (ntf.rf_tech_and_mode) {
case NCI_NFC_A_PASSIVE_POLL_MODE:
@@ -596,7 +604,7 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
const __u8 *data;
int err = NCI_STATUS_OK;
- if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
+ if (skb->len < offsetofend(struct nci_rf_intf_activated_ntf, rf_tech_specific_params_len))
return -EINVAL;
data = skb->data;
@@ -628,6 +636,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
if (ntf.rf_interface == NCI_RF_INTERFACE_NFCEE_DIRECT)
goto listen;
+ if (skb->len < (data - skb->data) + ntf.rf_tech_specific_params_len)
+ return -EINVAL;
+
if (ntf.rf_tech_specific_params_len > 0) {
switch (ntf.activation_rf_tech_and_mode) {
case NCI_NFC_A_PASSIVE_POLL_MODE:
@@ -668,6 +679,11 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
}
}
+ if (skb->len < (data - skb->data) + sizeof(ntf.data_exch_rf_tech_and_mode) +
+ sizeof(ntf.data_exch_tx_bit_rate) + sizeof (ntf.data_exch_rx_bit_rate) +
+ sizeof(ntf.activation_params_len))
+ return -EINVAL;
+
ntf.data_exch_rf_tech_and_mode = *data++;
ntf.data_exch_tx_bit_rate = *data++;
ntf.data_exch_rx_bit_rate = *data++;
@@ -679,6 +695,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
pr_debug("data_exch_rx_bit_rate 0x%x\n", ntf.data_exch_rx_bit_rate);
pr_debug("activation_params_len %d\n", ntf.activation_params_len);
+ if (skb->len < (data - skb->data) + ntf.activation_params_len)
+ return -EINVAL;
+
if (ntf.activation_params_len > 0) {
switch (ntf.rf_interface) {
case NCI_RF_INTERFACE_ISO_DEP:
--
2.52.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH net v3] net: nfc: nci: Fix parameter validation for packet data
2025-12-22 14:31 [PATCH net v3] net: nfc: nci: Fix parameter validation for packet data Michael Thalmeier
@ 2025-12-22 15:21 ` Vadim Fedorenko
0 siblings, 0 replies; 2+ messages in thread
From: Vadim Fedorenko @ 2025-12-22 15:21 UTC (permalink / raw)
To: Michael Thalmeier, Deepak Sharma, Krzysztof Kozlowski,
Simon Horman, Paolo Abeni
Cc: linux-kernel, netdev, Michael Thalmeier, stable
On 22/12/2025 14:31, Michael Thalmeier wrote:
> @@ -668,6 +679,11 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
> }
> }
>
> + if (skb->len < (data - skb->data) + sizeof(ntf.data_exch_rf_tech_and_mode) +
> + sizeof(ntf.data_exch_tx_bit_rate) + sizeof (ntf.data_exch_rx_bit_rate) +
extra space between sizeof and the bracket
> + sizeof(ntf.activation_params_len))
> + return -EINVAL;
> +
> ntf.data_exch_rf_tech_and_mode = *data++;
> ntf.data_exch_tx_bit_rate = *data++;
> ntf.data_exch_rx_bit_rate = *data++;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-12-22 15:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-22 14:31 [PATCH net v3] net: nfc: nci: Fix parameter validation for packet data Michael Thalmeier
2025-12-22 15:21 ` Vadim Fedorenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox