From: "Lekë Hapçiu" <snowwlake@icloud.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-nfc@lists.01.org,
stable@vger.kernel.org, horms@kernel.org,
"Lekë Hapçiu" <framemain@outlook.com>
Subject: [PATCH net v2 1/3] nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep
Date: Thu, 9 Apr 2026 20:59:56 +0200 [thread overview]
Message-ID: <20260409185958.1821242-2-snowwlake@icloud.com> (raw)
In-Reply-To: <20260409185958.1821242-1-snowwlake@icloud.com>
From: Lekë Hapçiu <framemain@outlook.com>
nci_store_general_bytes_nfc_dep() computes the number of General Bytes
to copy from an ATR_RES or ATR_REQ frame by subtracting a fixed header
offset from the peer-supplied length field:
ndev->remote_gb_len = min_t(__u8,
(atr_res_len - NFC_ATR_RES_GT_OFFSET), /* offset = 15 */
NFC_ATR_RES_GB_MAXSIZE);
Both length fields are __u8. When a malicious NFC-DEP target (POLL mode)
or initiator (LISTEN mode) sends an ATR_RES/ATR_REQ whose length field is
smaller than the fixed offset (< 15 or < 14 respectively), the subtraction
wraps in unsigned u8 arithmetic:
e.g. atr_res_len = 0 -> (u8)(0 - 15) = 241
min_t(__u8, 241, 47) then yields 47, so the subsequent memcpy reads
47 bytes from beyond the end of the valid activation parameter data into
ndev->remote_gb[]. This buffer is later passed to nfc_llcp_parse_gb_tlv()
as a TLV array, feeding directly into the TLV parser hardened by the
companion patch.
Fix: add an explicit lower-bound check on each length field before the
subtraction. If the length is smaller than the required offset the frame
is malformed; leave remote_gb_len at zero and skip the memcpy.
Both the POLL (atr_res_len / NFC_ATR_RES_GT_OFFSET = 15) and the LISTEN
(atr_req_len / NFC_ATR_REQ_GT_OFFSET = 14) paths are affected; both are
fixed symmetrically.
Reachability: the ATR_RES is sent by an NFC-DEP target during RF
activation, before any authentication or pairing. The bug is therefore
reachable from any NFC peer within ~4 cm.
Fixes: a99903ec4566 ("NFC: NCI: Handle Target mode activation")
Cc: stable@vger.kernel.org
Signed-off-by: Lekë Hapçiu <framemain@outlook.com>
---
net/nfc/nci/ntf.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index c96512bb8..8eb295580 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -631,25 +631,31 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev,
switch (ntf->activation_rf_tech_and_mode) {
case NCI_NFC_A_PASSIVE_POLL_MODE:
case NCI_NFC_F_PASSIVE_POLL_MODE:
+ if (ntf->activation_params.poll_nfc_dep.atr_res_len <
+ NFC_ATR_RES_GT_OFFSET)
+ break;
ndev->remote_gb_len = min_t(__u8,
- (ntf->activation_params.poll_nfc_dep.atr_res_len
- - NFC_ATR_RES_GT_OFFSET),
+ ntf->activation_params.poll_nfc_dep.atr_res_len
+ - NFC_ATR_RES_GT_OFFSET,
NFC_ATR_RES_GB_MAXSIZE);
memcpy(ndev->remote_gb,
- (ntf->activation_params.poll_nfc_dep.atr_res
- + NFC_ATR_RES_GT_OFFSET),
+ ntf->activation_params.poll_nfc_dep.atr_res
+ + NFC_ATR_RES_GT_OFFSET,
ndev->remote_gb_len);
break;
case NCI_NFC_A_PASSIVE_LISTEN_MODE:
case NCI_NFC_F_PASSIVE_LISTEN_MODE:
+ if (ntf->activation_params.listen_nfc_dep.atr_req_len <
+ NFC_ATR_REQ_GT_OFFSET)
+ break;
ndev->remote_gb_len = min_t(__u8,
- (ntf->activation_params.listen_nfc_dep.atr_req_len
- - NFC_ATR_REQ_GT_OFFSET),
+ ntf->activation_params.listen_nfc_dep.atr_req_len
+ - NFC_ATR_REQ_GT_OFFSET,
NFC_ATR_REQ_GB_MAXSIZE);
memcpy(ndev->remote_gb,
- (ntf->activation_params.listen_nfc_dep.atr_req
- + NFC_ATR_REQ_GT_OFFSET),
+ ntf->activation_params.listen_nfc_dep.atr_req
+ + NFC_ATR_REQ_GT_OFFSET,
ndev->remote_gb_len);
break;
--
2.51.0
next prev parent reply other threads:[~2026-04-09 19:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-05 10:59 [PATCH] nfc: llcp: fix u8 offset truncation in LLCP TLV parsers Lekë Hapçiu
2026-04-09 16:41 ` Simon Horman
2026-04-09 18:59 ` [PATCH net v2 0/3] nfc: fix chained TLV parsing and integer underflow vulnerabilities Lekë Hapçiu
2026-04-09 18:59 ` Lekë Hapçiu [this message]
2026-04-09 18:59 ` [PATCH net v2 2/3] nfc: llcp: add TLV length bounds checks in parse_gb_tlv and parse_connection_tlv Lekë Hapçiu
2026-04-09 18:59 ` [PATCH net v2 3/3] nfc: llcp: fix TLV parsing OOB and length underflow in nfc_llcp_recv_snl Lekë Hapçiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409185958.1821242-2-snowwlake@icloud.com \
--to=snowwlake@icloud.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=framemain@outlook.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-nfc@lists.01.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox