From: "Lekë Hapçiu" <snowwlake@icloud.com>
To: netdev@vger.kernel.org
Cc: linux-wireless@vger.kernel.org, stable@vger.kernel.org,
krzysztof.kozlowski@linaro.org,
"Lekë Hapçiu" <snowwlake@icloud.com>
Subject: [PATCH net 1/4] nfc: digital: Fix stack buffer overflow in digital_in_recv_sensf_res()
Date: Fri, 10 Apr 2026 00:34:31 +0200 [thread overview]
Message-ID: <20260409223436.1887988-2-snowwlake@icloud.com> (raw)
In-Reply-To: <20260409223436.1887988-1-snowwlake@icloud.com>
The function digital_in_recv_sensf_res() validates that the incoming
SENSF_RES frame is at least DIGITAL_SENSF_RES_MIN_LENGTH (17) bytes,
but does not check that it is at most NFC_SENSF_RES_MAXSIZE (18) bytes
before copying into the 18-byte target.sensf_res stack buffer.
After skb_pull(resp, 1) removes the framing byte, resp->len can range
from 16 up to 253 — an NFC-F frame carries a 1-byte length field with
maximum value 255, from which the driver status byte (pulled here) and
the protocol length byte are subtracted. The memcpy() at line 775 then
writes up to 235 bytes past the end of target.sensf_res, overflowing
into adjacent stack data including saved registers and the return address.
A device in NFC-F polling mode can trigger this condition without any
prior pairing or authentication by responding to a SENSF_REQ with an
oversized frame. No user interaction is required on the victim device
while NFC discovery is active.
The NCI code path handles this correctly; nci/ntf.c line 508:
nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
Apply the equivalent upper-bound check to the digital protocol path by
rejecting frames whose post-strip length exceeds NFC_SENSF_RES_MAXSIZE.
Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support")
Cc: stable@vger.kernel.org
Signed-off-by: Lekë Hapçiu <snowwlake@icloud.com>
---
net/nfc/digital_technology.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c
index XXXXXXX..XXXXXXX 100644
--- a/net/nfc/digital_technology.c
+++ b/net/nfc/digital_technology.c
@@ -768,6 +768,11 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg,
skb_pull(resp, 1);
+ if (resp->len > NFC_SENSF_RES_MAXSIZE) {
+ rc = -EIO;
+ goto exit;
+ }
+
memset(&target, 0, sizeof(struct nfc_target));
sensf_res = (struct digital_sensf_res *)resp->data;
--
2.34.1
next prev parent reply other threads:[~2026-04-09 22:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 22:34 [PATCH net 0/4] nfc: digital: Fix missing and misplaced length checks Lekë Hapçiu
2026-04-09 22:34 ` Lekë Hapçiu [this message]
2026-04-12 20:58 ` [PATCH net 1/4] nfc: digital: Fix stack buffer overflow in digital_in_recv_sensf_res() Jakub Kicinski
2026-04-09 22:34 ` [PATCH net 2/4] nfc: digital: Fix check-after-read in digital_tg_recv_sens_req() Lekë Hapçiu
2026-04-09 22:34 ` [PATCH net 3/4] nfc: digital: Fix OOB read of RTOX byte in digital_in_recv_dep_res() Lekë Hapçiu
2026-04-09 22:34 ` [PATCH net 4/4] nfc: digital: Fix OOB read of DID byte in digital_tg_recv_dep_req() Lekë Hapçiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409223436.1887988-2-snowwlake@icloud.com \
--to=snowwlake@icloud.com \
--cc=krzysztof.kozlowski@linaro.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox