* [PATCH net v3] nfc: llcp: reject PDUs shorter than the LLCP header
@ 2026-07-14 16:46 Doruk Tan Ozturk
2026-07-14 20:57 ` Vadim Fedorenko
0 siblings, 1 reply; 2+ messages in thread
From: Doruk Tan Ozturk @ 2026-07-14 16:46 UTC (permalink / raw)
To: david
Cc: vadim.fedorenko, horms, david.laight.linux, oe-linux-nfc, netdev,
linux-kernel, stable
Every LLCP PDU begins with a two-byte header (DSAP/SSAP + PTYPE), but the
receive path never checked that a frame is at least LLCP_HEADER_SIZE bytes
before parsing it.
nfc_llcp_rx_skb() reads the header via nfc_llcp_ptype()/nfc_llcp_dsap()/
nfc_llcp_ssap(), which dereference pdu->data[0] and pdu->data[1], and a
CONNECT or CC PDU then computes
tlv_array_len = skb->len - LLCP_HEADER_SIZE;
as a size_t and hands it to the TLV walk. When the frame is shorter than
the header the subtraction wraps to a huge value and the walk runs far
past the buffer, an out-of-bounds read.
A nearby NFC device can reach this without authentication; LLCP link
activation happens automatically after NFC-DEP.
Guard the common receive choke point __nfc_llcp_recv(), shared by both the
target (nfc_llcp_data_received()) and initiator (nfc_llcp_recv()) paths, so
a short skb is dropped before the rx_work worker parses it. Use
pskb_may_pull() rather than a skb->len test so the two header bytes are
guaranteed to sit in the skb linear area even for a non-linear skb,
matching how the sibling NCI and HCI receive paths validate their headers.
Reproduced with a KFENCE out-of-bounds read via /dev/virtual_nci on
linux-next.
Found by 0sec automated security-research tooling (https://0sec.ai).
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Cc: stable@vger.kernel.org
Suggested-by: David Laight <david.laight.linux@gmail.com>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
v3: use pskb_may_pull() so the guard also covers non-linear skbs and
guarantees the header bytes are in the linear area (David Laight).
v2: move the guard into __nfc_llcp_recv() so both the target and
initiator receive paths are covered by a single check.
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index aed5fe1afef0..e3b2627cb089 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1565,6 +1565,11 @@ static void nfc_llcp_rx_work(struct work_struct *work)
static void __nfc_llcp_recv(struct nfc_llcp_local *local, struct sk_buff *skb)
{
+ if (!pskb_may_pull(skb, LLCP_HEADER_SIZE)) {
+ kfree_skb(skb);
+ return;
+ }
+
local->rx_pending = skb;
timer_delete(&local->link_timer);
schedule_work(&local->rx_work);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net v3] nfc: llcp: reject PDUs shorter than the LLCP header
2026-07-14 16:46 [PATCH net v3] nfc: llcp: reject PDUs shorter than the LLCP header Doruk Tan Ozturk
@ 2026-07-14 20:57 ` Vadim Fedorenko
0 siblings, 0 replies; 2+ messages in thread
From: Vadim Fedorenko @ 2026-07-14 20:57 UTC (permalink / raw)
To: Doruk Tan Ozturk, david
Cc: horms, david.laight.linux, oe-linux-nfc, netdev, linux-kernel,
stable
On 14.07.2026 17:46, Doruk Tan Ozturk wrote:
> Every LLCP PDU begins with a two-byte header (DSAP/SSAP + PTYPE), but the
> receive path never checked that a frame is at least LLCP_HEADER_SIZE bytes
> before parsing it.
>
> nfc_llcp_rx_skb() reads the header via nfc_llcp_ptype()/nfc_llcp_dsap()/
> nfc_llcp_ssap(), which dereference pdu->data[0] and pdu->data[1], and a
> CONNECT or CC PDU then computes
>
> tlv_array_len = skb->len - LLCP_HEADER_SIZE;
>
> as a size_t and hands it to the TLV walk. When the frame is shorter than
> the header the subtraction wraps to a huge value and the walk runs far
> past the buffer, an out-of-bounds read.
>
> A nearby NFC device can reach this without authentication; LLCP link
> activation happens automatically after NFC-DEP.
>
> Guard the common receive choke point __nfc_llcp_recv(), shared by both the
> target (nfc_llcp_data_received()) and initiator (nfc_llcp_recv()) paths, so
> a short skb is dropped before the rx_work worker parses it. Use
> pskb_may_pull() rather than a skb->len test so the two header bytes are
> guaranteed to sit in the skb linear area even for a non-linear skb,
> matching how the sibling NCI and HCI receive paths validate their headers.
>
> Reproduced with a KFENCE out-of-bounds read via /dev/virtual_nci on
> linux-next.
>
> Found by 0sec automated security-research tooling (https://0sec.ai).
>
> Fixes: d646960f7986 ("NFC: Initial LLCP support")
> Cc: stable@vger.kernel.org
> Suggested-by: David Laight <david.laight.linux@gmail.com>
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
> ---
> v3: use pskb_may_pull() so the guard also covers non-linear skbs and
> guarantees the header bytes are in the linear area (David Laight).
> v2: move the guard into __nfc_llcp_recv() so both the target and
> initiator receive paths are covered by a single check.
>
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index aed5fe1afef0..e3b2627cb089 100644
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -1565,6 +1565,11 @@ static void nfc_llcp_rx_work(struct work_struct *work)
>
> static void __nfc_llcp_recv(struct nfc_llcp_local *local, struct sk_buff *skb)
> {
> + if (!pskb_may_pull(skb, LLCP_HEADER_SIZE)) {
> + kfree_skb(skb);
> + return;
> + }
> +
> local->rx_pending = skb;
> timer_delete(&local->link_timer);
> schedule_work(&local->rx_work);
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-14 20:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-14 16:46 [PATCH net v3] nfc: llcp: reject PDUs shorter than the LLCP header Doruk Tan Ozturk
2026-07-14 20:57 ` Vadim Fedorenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox