[PATCH] NFC: pn533: bound the UART receive buffer

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] NFC: pn533: bound the UART receive buffer
@ 2026-03-23  7:24 Pengpeng Hou
  2026-03-26 10:48 ` Paolo Abeni
  2026-03-26 14:20 ` [PATCH net v2] " Pengpeng Hou
  0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-23  7:24 UTC (permalink / raw)
  To: netdev; +Cc: linux-kernel, tglx, mingo, kees, pengpeng

pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.

Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/nfc/pn533/uart.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 6d2f520a5bc8..1b82b7b2a5fa 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -211,6 +211,9 @@ static size_t pn532_receive_buf(struct serdev_device *serdev,
 
 	timer_delete(&dev->cmd_timeout);
 	for (i = 0; i < count; i++) {
+		if (unlikely(!skb_tailroom(dev->recv_skb)))
+			skb_trim(dev->recv_skb, 0);
+
 		skb_put_u8(dev->recv_skb, *data++);
 		if (!pn532_uart_rx_is_frame(dev->recv_skb))
 			continue;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] NFC: pn533: bound the UART receive buffer
  2026-03-23  7:24 [PATCH] NFC: pn533: bound the UART receive buffer Pengpeng Hou
@ 2026-03-26 10:48 ` Paolo Abeni
  2026-03-26 14:20 ` [PATCH net v2] " Pengpeng Hou
  1 sibling, 0 replies; 3+ messages in thread
From: Paolo Abeni @ 2026-03-26 10:48 UTC (permalink / raw)
  To: Pengpeng Hou, netdev; +Cc: linux-kernel, tglx, mingo, kees

On 3/23/26 8:24 AM, Pengpeng Hou wrote:
> pn532_receive_buf() appends every incoming byte to dev->recv_skb and
> only resets the buffer after pn532_uart_rx_is_frame() recognizes a
> complete frame. A continuous stream of bytes without a valid PN532 frame
> header therefore keeps growing the skb until skb_put_u8() hits the tail
> limit.
> 
> Drop the accumulated partial frame once the fixed receive buffer is full
> so malformed UART traffic cannot grow the skb past
> PN532_UART_SKB_BUFF_LEN.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>

This looks line 'net' material. Could you please provide a suitable
Fixes tag?

Thanks,

Paolo


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH net v2] NFC: pn533: bound the UART receive buffer
  2026-03-23  7:24 [PATCH] NFC: pn533: bound the UART receive buffer Pengpeng Hou
  2026-03-26 10:48 ` Paolo Abeni
@ 2026-03-26 14:20 ` Pengpeng Hou
  1 sibling, 0 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-26 14:20 UTC (permalink / raw)
  To: netdev; +Cc: linux-kernel, tglx, mingo, kees, pabeni, pengpeng

pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.

Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.

Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- add the requested Fixes tag for the UART receive path

 drivers/nfc/pn533/uart.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 6d2f520a5bc8..1b82b7b2a5fa 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -211,6 +211,9 @@ static size_t pn532_receive_buf(struct serdev_device *serdev,
 
 	timer_delete(&dev->cmd_timeout);
 	for (i = 0; i < count; i++) {
+		if (unlikely(!skb_tailroom(dev->recv_skb)))
+			skb_trim(dev->recv_skb, 0);
+
 		skb_put_u8(dev->recv_skb, *data++);
 		if (!pn532_uart_rx_is_frame(dev->recv_skb))
 			continue;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-26 14:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23  7:24 [PATCH] NFC: pn533: bound the UART receive buffer Pengpeng Hou
2026-03-26 10:48 ` Paolo Abeni
2026-03-26 14:20 ` [PATCH net v2] " Pengpeng Hou

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox