* [PATCH net] Revert "nfc/nci: Add the inconsistency check between the input data length and count"
@ 2026-01-13 20:24 Thadeu Lima de Souza Cascardo
2026-01-19 14:18 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2026-01-13 20:24 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, Edward Adam Davis, David S. Miller,
Krzysztof Kozlowski, Bongsu Jeon, kernel-dev,
Thadeu Lima de Souza Cascardo
This reverts commit 068648aab72c9ba7b0597354ef4d81ffaac7b979.
NFC packets may have NUL-bytes. Checking for string length is not a correct
assumption here. As long as there is a check for the length copied from
copy_from_user, all should be fine.
The fix only prevented the syzbot reproducer from triggering the bug
because the packet is not enqueued anymore and the code that triggers the
bug is not exercised.
The fix even broke
testing/selftests/nci/nci_dev, making all tests there fail. After the
revert, 6 out of 8 tests pass.
Fixes: 068648aab72c ("nfc/nci: Add the inconsistency check between the input data length and count")
Cc: stable@vger.kernel.org
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
---
drivers/nfc/virtual_ncidev.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/nfc/virtual_ncidev.c b/drivers/nfc/virtual_ncidev.c
index 9ef8ef2d4363..b957fce83b7c 100644
--- a/drivers/nfc/virtual_ncidev.c
+++ b/drivers/nfc/virtual_ncidev.c
@@ -125,10 +125,6 @@ static ssize_t virtual_ncidev_write(struct file *file,
kfree_skb(skb);
return -EFAULT;
}
- if (strnlen(skb->data, count) != count) {
- kfree_skb(skb);
- return -EINVAL;
- }
nci_recv_frame(vdev->ndev, skb);
return count;
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH net] Revert "nfc/nci: Add the inconsistency check between the input data length and count"
2026-01-13 20:24 [PATCH net] Revert "nfc/nci: Add the inconsistency check between the input data length and count" Thadeu Lima de Souza Cascardo
@ 2026-01-19 14:18 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-01-19 14:18 UTC (permalink / raw)
To: Thadeu Lima de Souza Cascardo
Cc: netdev, linux-kernel, eadavis, davem, krzk, bongsu.jeon,
kernel-dev
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Tue, 13 Jan 2026 17:24:58 -0300 you wrote:
> This reverts commit 068648aab72c9ba7b0597354ef4d81ffaac7b979.
>
> NFC packets may have NUL-bytes. Checking for string length is not a correct
> assumption here. As long as there is a check for the length copied from
> copy_from_user, all should be fine.
>
> The fix only prevented the syzbot reproducer from triggering the bug
> because the packet is not enqueued anymore and the code that triggers the
> bug is not exercised.
>
> [...]
Here is the summary with links:
- [net] Revert "nfc/nci: Add the inconsistency check between the input data length and count"
https://git.kernel.org/netdev/net/c/f40ddcc0c0ca
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-19 14:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-13 20:24 [PATCH net] Revert "nfc/nci: Add the inconsistency check between the input data length and count" Thadeu Lima de Souza Cascardo
2026-01-19 14:18 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox