* [PATCH] nfc: llcp: fix u8 offset truncation in LLCP TLV parsers
@ 2026-04-05 10:59 Lekë Hapçiu
2026-04-09 16:41 ` Simon Horman
0 siblings, 1 reply; 2+ messages in thread
From: Lekë Hapçiu @ 2026-04-05 10:59 UTC (permalink / raw)
To: netdev
Cc: davem, edumazet, kuba, pabeni, horms, stable, linux-kernel,
Lekë Hapçiu
From: Lekë Hapçiu <framemain@outlook.com>
nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv() declare
'offset' as u8, but compare it against a u16 tlv_array_len:
u8 type, length, offset = 0;
while (offset < tlv_array_len) { /* tlv_array_len is u16 */
...
offset += length + 2; /* wraps at 256 */
tlv += length + 2;
}
When tlv_array_len > 255 -- possible in nfc_llcp_parse_connection_tlv()
when the peer has negotiated MIUX = 0x7FF (MIU = 2175 bytes), so that
a CONNECT PDU can carry a TLV array of up to 2173 bytes -- the u8
offset wraps back below tlv_array_len after every 128 zero-length TLV
entries and the loop never terminates. The 'tlv' pointer meanwhile
advances without bound into adjacent kernel heap, causing:
* an OOB read of kernel heap content past the skb end;
* a kernel page fault / oops once 'tlv' leaves mapped memory.
This is reachable from any NFC P2P peer device within ~4 cm without
requiring compromised NFCC firmware.
Fix: promote 'offset' from u8 to u16 in both parsers, matching the
type of their tlv_array_len parameter.
nfc_llcp_parse_gb_tlv() takes GB bytes from the ATR_RES (max 44 bytes),
so the wrap cannot occur in practice there. Change it anyway for
correctness and to prevent copy-paste reintroduction.
Cc: stable@vger.kernel.org
Signed-off-by: Lekë Hapçiu <framemain@outlook.com>
---
net/nfc/llcp_commands.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 291f26fac..6937dcb3b 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -193,7 +193,8 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
const u8 *tlv_array, u16 tlv_array_len)
{
const u8 *tlv = tlv_array;
- u8 type, length, offset = 0;
+ u8 type, length;
+ u16 offset = 0;
pr_debug("TLV array length %d\n", tlv_array_len);
@@ -243,7 +244,8 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
const u8 *tlv_array, u16 tlv_array_len)
{
const u8 *tlv = tlv_array;
- u8 type, length, offset = 0;
+ u8 type, length;
+ u16 offset = 0;
pr_debug("TLV array length %d\n", tlv_array_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] nfc: llcp: fix u8 offset truncation in LLCP TLV parsers
2026-04-05 10:59 [PATCH] nfc: llcp: fix u8 offset truncation in LLCP TLV parsers Lekë Hapçiu
@ 2026-04-09 16:41 ` Simon Horman
0 siblings, 0 replies; 2+ messages in thread
From: Simon Horman @ 2026-04-09 16:41 UTC (permalink / raw)
To: Lekë Hapçiu
Cc: netdev, davem, edumazet, kuba, pabeni, stable, linux-kernel,
Lekë Hapçiu
On Sun, Apr 05, 2026 at 12:59:38PM +0200, Lekë Hapçiu wrote:
> From: Lekë Hapçiu <framemain@outlook.com>
>
> nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv() declare
> 'offset' as u8, but compare it against a u16 tlv_array_len:
>
> u8 type, length, offset = 0;
> while (offset < tlv_array_len) { /* tlv_array_len is u16 */
> ...
> offset += length + 2; /* wraps at 256 */
> tlv += length + 2;
> }
>
> When tlv_array_len > 255 -- possible in nfc_llcp_parse_connection_tlv()
> when the peer has negotiated MIUX = 0x7FF (MIU = 2175 bytes), so that
> a CONNECT PDU can carry a TLV array of up to 2173 bytes -- the u8
> offset wraps back below tlv_array_len after every 128 zero-length TLV
> entries and the loop never terminates. The 'tlv' pointer meanwhile
> advances without bound into adjacent kernel heap, causing:
>
> * an OOB read of kernel heap content past the skb end;
> * a kernel page fault / oops once 'tlv' leaves mapped memory.
Is the more general explanation of this problem that the length of packet
data is used as the tlv_array_len parameter, and that length is not
verified to be within the expected bound?
I am also concerned that the packet data needs to be pulled
before it can be safely accessed.
>
> This is reachable from any NFC P2P peer device within ~4 cm without
> requiring compromised NFCC firmware.
I think some further explanation is warranted here if that is the case.
> Fix: promote 'offset' from u8 to u16 in both parsers, matching the
> type of their tlv_array_len parameter.
>
> nfc_llcp_parse_gb_tlv() takes GB bytes from the ATR_RES (max 44 bytes),
> so the wrap cannot occur in practice there. Change it anyway for
> correctness and to prevent copy-paste reintroduction.
In the case of both nfc_llcp_parse_gb_tlv() it seems to me that wrap-around
can occur because the value of length, which is used to increment the value
of offset, is read from unverified packet data. Is the data validate
somewhere, or known to be correct?
If so, I expect this can also result in an overrun of tlv.
And I think the same problem exists in nfc_llcp_parse_gb_tlv().
>
> Cc: stable@vger.kernel.org
A fixes tag is needed here.
> Signed-off-by: Lekë Hapçiu <framemain@outlook.com>
The patch should be targeted at net-next like this:
Subject: [PATCH net] ...
And please group together related patches - I see several for nfc -
in a patchset.
More on the Netdev development process can be found here
https://docs.kernel.org/process/maintainer-netdev.html
--
pw-bot: changes-requested
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-09 16:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-05 10:59 [PATCH] nfc: llcp: fix u8 offset truncation in LLCP TLV parsers Lekë Hapçiu
2026-04-09 16:41 ` Simon Horman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox