* [PATCH net v3 0/4] nfc: fix multiple parsing vulnerabilities reachable from RF
@ 2026-04-14 23:35 Lekë Hapçiu
0 siblings, 0 replies; only message in thread
From: Lekë Hapçiu @ 2026-04-14 23:35 UTC (permalink / raw)
To: netdev
Cc: davem, edumazet, kuba, pabeni, horms, linux-kernel, stable,
Lekë Hapçiu
From: Lekë Hapçiu <framemain@outlook.com>
This series fixes four RF-reachable parsing vulnerabilities in the NFC
stack. All four are triggerable from an NFC peer within ~4 cm of the
victim, before any pairing or authentication.
Patch 1 fixes a u8 underflow in nci_store_general_bytes_nfc_dep() where
a short ATR_RES/ATR_REQ causes (atr_res_len - NFC_ATR_RES_GT_OFFSET) to
wrap in u8 arithmetic, producing a bogus remote_gb_len that copies up
to 47 bytes beyond the valid activation parameter data.
Patch 2 hardens nfc_llcp_parse_gb_tlv() and
nfc_llcp_parse_connection_tlv(). The loop guard does not prove that
two header bytes can be read, and the peer-controlled `length` field
is used to advance `tlv` without bounds checking. An 8-bit `offset`
against a 16-bit `tlv_array_len` compounds the issue in
parse_connection_tlv() where the TLV array can exceed 255 bytes.
Patch 3 fixes nfc_llcp_recv_snl(). The SNL handler accesses skb->data
before verifying skb->len, and its inner TLV loop has the same two
weaknesses as patch 2. SDREQ handling additionally requires
length >= 2 because both tid (tlv[2]) and the start of service_name
(tlv[3]) are read.
Patch 4 fixes nfc_llcp_recv_dm() which reads skb->data[2] (the DM
reason byte) without checking skb->len >= 3.
Changes in v3:
- Restore the u8 -> u16 `offset` promotion in patch 2. v2 split this
into a separate v1 patch and did not re-send it; v3 combines the
promotion and the bounds checks in a single patch (Paolo Abeni).
- Return -EINVAL from nci_store_general_bytes_nfc_dep() and propagate
the error out of nci_rf_intf_activated_ntf_packet() rather than
silently accepting the malformed packet (Paolo Abeni).
- Drop the style-only paren removal in patch 1 (Paolo Abeni).
- Condense commit message in patch 2 (Paolo Abeni).
- Consolidate the length >= 1 checks before the switch in patch 2,
keeping length >= 2 only for the llcp_tlv16() accessors (Paolo Abeni).
- Tighten SDREQ length check from >=1 to >=2 in patch 3; the handler
reads both tlv[2] and tlv[3] (Sashiko).
- Add patch 4 for nfc_llcp_recv_dm().
- Send as a fresh thread rather than In-Reply-To v2 (Paolo Abeni).
Lekë Hapçiu (4):
nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep
nfc: llcp: fix TLV parsing in parse_gb_tlv and parse_connection_tlv
nfc: llcp: fix TLV parsing OOB in nfc_llcp_recv_snl
nfc: llcp: fix OOB read of DM reason byte in nfc_llcp_recv_dm
net/nfc/llcp_commands.c | 24 ++++++++++++++++++++++--
net/nfc/llcp_core.c | 16 ++++++++++++++++
net/nfc/nci/ntf.c | 10 +++++++++-
3 files changed, 47 insertions(+), 3 deletions(-)
--
2.51.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-14 23:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-14 23:35 [PATCH net v3 0/4] nfc: fix multiple parsing vulnerabilities reachable from RF Lekë Hapçiu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox