From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com [209.85.210.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B41A47DD5E
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 17:07:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.42
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778000837; cv=none; b=KDdDwyNyRJmhu17EoGhh93pLjdOTlXghDYR9S5xyjEXyurbpgo/6OXVvBD/TDU2BFdu0BJo3tyNucCplnu/M0m435IFBxXN8VTKZvIejUJkyttmG0g81q42T0jYj+GFhAuNIMY1/bvCPtNrRTz2Lft2+qMT+Wok5E94lbtTWxac=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778000837; c=relaxed/simple;
	bh=vw1Yz1M6ntRpNsMHRphRJy36953fAzli8KY6gviS25I=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=FPkNuSa+7taKtPbfjbGyEzRP60CGLt1yVTeXAuw+PNfCg1Ls93y1yAZ097YMr+9P06uEk/Uam5nPlv5dw0mMCWK1u+DzQFSWtem+rUK2/heEw/g0pimcC2KsmOulCqL7xGv+ZFPbxHSMbyr7FefKKft92zEFYraRwi7mDQtVzmM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NPYMGG43; arc=none smtp.client-ip=209.85.210.42
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NPYMGG43"
Received: by mail-ot1-f42.google.com with SMTP id 46e09a7af769-7de46b8e432so5178244a34.1
        for <linux-kernel@vger.kernel.org>; Tue, 05 May 2026 10:07:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778000835; x=1778605635; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=bgyzmCLBZb8njVeoHc/WQXkO4KGEQm3rkpc/IuvAWz8=;
        b=NPYMGG43WqGp+YAYON7G4MdEUatsKkFlhmNA20fFY6VSU6EisIV2FQGh6i6xGCbexa
         UdUMWYF/d5NM2UlXyLcgrwYyoyC+G2utej7MOIKJRmeCGizPKlBOkUz6I9jqhgaeLXyJ
         e66bCEZaO20xZJMd7Za+FBp9eAwUydLICb8RvaRATxh0EoWrsmI/YZmqeDHSIgyiqpTE
         ZX5ER35Eg+GgpiA2z2Zd2RJCGC7UajKndFsDPTkyYUM49oWSey6r4w+wPR9Tlns56bAs
         oUbcbsJYKvdv7d2KhBj7jGgR9q3V77TkPSR7K+8ezE7se6oeClDeVq7zZ5v0pygvYGyv
         tjzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778000835; x=1778605635;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bgyzmCLBZb8njVeoHc/WQXkO4KGEQm3rkpc/IuvAWz8=;
        b=eV+NVq2QyR2d3SJSzdOfb3nPLrNDEHWzbK/sEPRf4hqwhaHix+wpZCEFq2nA9xc45p
         e5Jr5VZeqpqhGIgRtaFjmFKxmgSxIs2Ad+E2q+Tol4+kmWL+Zs/O2ryQmotK3JGSF74F
         cUHF/7jidlvuMUlb/o2NOp0yZCnp9TQT1UC9iRM8+g1P9OvRKWPnZaQ/CLOScXbpi0/+
         37qXDMgg+poUmBaIGaRfx3PIuRQJEQCvEnMYTCMGrMw1ROcbwuN6r8wIKXRRodPdQWKd
         To1ljOcx8iZeDkQp1I0zVaTfxmsJD3ONenCQ1Kt7MPWEPyoCmcS9FcS+h7CmZQmK8cNe
         nYQA==
X-Forwarded-Encrypted: i=1; AFNElJ8i+nvnFSnhXA1bmox158NBVZFrQ3VePq6Z40gzyxsJKh+E0KVR86kJsaZusUC+BPhMKxjVU00dMDzYNKE=@vger.kernel.org
X-Gm-Message-State: AOJu0YzFX5YwRaEIou8Bs1+L3mCsiHN1GVFYcb0c0duo1bDjDlkHTlTO
	Cv+6qNQDpAKF2PKxeuODNJ5pPfSOUbAfV1ZGwstptsONwczqIZ+XzJEc
X-Gm-Gg: AeBDieuyFbSUT/mQW+5AqymqEb219nlWHuJYNovMCeIQrGGjVwWWeuIAMV2c/4OUnOV
	REbSaszzEHqvEOirK7nTpn0TTLMm1Iao4J6bmKET721i94ZZcYaK7krUCjGFyNqQEHEBIOsix4g
	FuHonSqMMEQNUZ2vfH32xrg/PI+ntPxGibbZAja1fz3PcZT/JLbReUQEZvw4e+jY5Fz4udy7opQ
	XDj3vOn/6xOLe2oja7KTfXTZFJHeA5KNL++40g14CRKXrLF5+tK7i1azJBkSXA6jrG2rl4Wkyg0
	5VGrzK2DfNt8fqn2L5Qznbb2FpYT/iI3R9lMgC+UFTsQchajVBb2DQmJcX68y/6wsW+oY3Eb6jL
	gxkFnUa/VZ4c14scw5aHiM2CS3Rvv7IqhUvSEmYBIYT5yJ5Kk52mtPSyY2nKSqQREnuN45uoPUf
	mxnAnxBbhwVCSJOvKP8rVz5Lhjxp3gCF5R03d8AQEt8Vadw4jrAi6pbgkzLlOFKGD/egdHvSLW7
	cWWrb7PR9PeF5ICLumL/p9C7SM41+HmD3i7FSw=
X-Received: by 2002:a05:6830:6686:b0:7dc:d0cc:91b with SMTP id 46e09a7af769-7dee149eb40mr10122943a34.26.1778000835319;
        Tue, 05 May 2026 10:07:15 -0700 (PDT)
Received: from TDC4045031631.e0cglfehwr0e5gttmepj3hi3hf.ux.internal.cloudapp.net ([20.63.37.123])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8b53d6442d0sm151261756d6.46.2026.05.05.10.07.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 10:07:14 -0700 (PDT)
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
To: netdev@vger.kernel.org
Cc: kuba@kernel.org,
	edumazet@google.com,
	davem@davemloft.net,
	pabeni@redhat.com,
	horms@kernel.org,
	stable@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	david+nfc@ixit.cz,
	Ashutosh Desai <ashutoshdesai993@gmail.com>
Subject: [PATCH v7] nfc: hci: fix out-of-bounds read in HCP header parsing
Date: Tue,  5 May 2026 17:07:12 +0000
Message-Id: <20260505170712.96560-1-ashutoshdesai993@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.

Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.

Fixes: 8b8d2e08bf0d ("NFC: HCI support")
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
---
Changes in v7:
- Add David Heidelberg <david+nfc@ixit.cz> to CC (NFC subsystem maintainer)

Changes in v6:
- Add pskb_may_pull(skb, 1) at function entry in both functions before
  packet->header is first accessed, to fix OOB read on 0-byte frames
  and prevent integer underflow in the fragment reassembly path
  (Paolo Abeni)

V6 -> V7: add NFC subsystem maintainer to CC
V5 -> V6: add entry-point length checks per Paolo Abeni's review
V4 -> V5: fix whitespace damage
V3 -> V4: add Fixes tags
V2 -> V3: drop redundant checks from nfc_hci_msg_rx_work/nci_hci_msg_rx_work;
          remove incorrect Suggested-by tag
V1 -> V2: use pskb_may_pull() instead of skb->len check

v6: https://lore.kernel.org/netdev/20260502163116.3409687-1-ashutoshdesai993@gmail.com/
v5: https://lore.kernel.org/netdev/20260416051522.4154698-1-ashutoshdesai993@gmail.com/
v4: https://lore.kernel.org/netdev/177614425081.3600288.2536320552978506086@gmail.com/
v3: https://lore.kernel.org/netdev/20260413024329.3293075-1-ashutoshdesai993@gmail.com/
v2: https://lore.kernel.org/netdev/20260409150825.2217133-1-ashutoshdesai993@gmail.com/
v1: https://lore.kernel.org/netdev/20260408223113.2009304-1-ashutoshdesai993@gmail.com/

 net/nfc/hci/core.c | 10 ++++++++++
 net/nfc/nci/hci.c  | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index 0d33c81a15fe..ba6f0310ffd7 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct nfc_hci_dev *hdev, struct sk_buff *skb)
 	struct sk_buff *frag_skb;
 	int msg_len;
 
+	if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {
+		kfree_skb(skb);
+		return;
+	}
+
 	packet = (struct hcp_packet *)skb->data;
 	if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {
 		skb_queue_tail(&hdev->rx_hcp_frags, skb);
@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct nfc_hci_dev *hdev, struct sk_buff *skb)
 	 * unblock waiting cmd context. Otherwise, enqueue to dispatch
 	 * in separate context where handler can also execute command.
 	 */
+	if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {
+		kfree_skb(hcp_skb);
+		return;
+	}
+
 	packet = (struct hcp_packet *)hcp_skb->data;
 	type = HCP_MSG_GET_TYPE(packet->message.header);
 	if (type == NFC_HCI_HCP_RESPONSE) {
diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
index 40ae8e5a7ec7..c03e8a0bd3bd 100644
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -439,6 +439,11 @@ void nci_hci_data_received_cb(void *context,
 		return;
 	}
 
+	if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {
+		kfree_skb(skb);
+		return;
+	}
+
 	packet = (struct nci_hcp_packet *)skb->data;
 	if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {
 		skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
@@ -482,6 +487,11 @@ void nci_hci_data_received_cb(void *context,
 	 * unblock waiting cmd context. Otherwise, enqueue to dispatch
 	 * in separate context where handler can also execute command.
 	 */
+	if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {
+		kfree_skb(hcp_skb);
+		return;
+	}
+
 	packet = (struct nci_hcp_packet *)hcp_skb->data;
 	type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
 	if (type == NCI_HCI_HCP_RESPONSE) {
-- 
2.34.1