[PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet
@ 2026-04-13  9:01 Dudu Lu
  2026-04-30  1:43 ` kernel test robot
  2026-04-30  3:03 ` kernel test robot
  0 siblings, 2 replies; 3+ messages in thread
From: Dudu Lu @ 2026-04-13  9:01 UTC (permalink / raw)
  To: netdev; +Cc: davem, edumazet, kuba, pabeni, Dudu Lu

nci_core_init_rsp_packet_v1() and nci_core_init_rsp_packet_v2() cast
skb->data to response structures and dereference fields without first
checking that skb->len is large enough. A malicious or malformed NFCC
can send a short response packet, causing an out-of-bounds read.

Add minimum length checks at the start of both functions. For v1, check
that at least sizeof(nci_core_init_rsp_1) bytes are available before
accessing rsp_1 fields, and validate the dynamic offset before accessing
rsp_2. For v2, check that at least sizeof(nci_core_init_rsp_nci_ver2)
bytes are available.

Signed-off-by: Dudu Lu <phx0fer@gmail.com>
---
 net/nfc/nci/rsp.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/nfc/nci/rsp.c b/net/nfc/nci/rsp.c
index 9eeb862825c5..01972c806b45 100644
--- a/net/nfc/nci/rsp.c
+++ b/net/nfc/nci/rsp.c
@@ -1,3 +1,14 @@
+	if (skb->len < sizeof(*rsp)) {
+		pr_err("short NCI_CORE_INIT_RSP v2 packet\n");
+		return NCI_STATUS_SYNTAX_ERROR;
+	}
+	if (skb->len < 6 + rsp_1->num_supported_rf_interfaces +
+			sizeof(*rsp_2)) {
+		pr_err("short NCI_CORE_INIT_RSP v1 packet\n");
+		return NCI_STATUS_SYNTAX_ERROR;
+	}
+	if (skb->len < sizeof(*rsp_1))
+		return NCI_STATUS_SYNTAX_ERROR;
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  *  The NFC Controller Interface is the communication protocol between an
-- 
2.39.3 (Apple Git-145)

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet
  2026-04-13  9:01 [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet Dudu Lu
@ 2026-04-30  1:43 ` kernel test robot
  2026-04-30  3:03 ` kernel test robot
  1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2026-04-30  1:43 UTC (permalink / raw)
  To: Dudu Lu, netdev; +Cc: oe-kbuild-all, davem, edumazet, kuba, pabeni, Dudu Lu

Hi Dudu,

kernel test robot noticed the following build errors:

[auto build test ERROR on net/main]
[also build test ERROR on net-next/main linus/master horms-ipvs/master v7.1-rc1 next-20260429]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Dudu-Lu/nfc-nci-Add-skb-length-validation-in-nci_core_init_rsp_packet/20260423-210923
base:   net/main
patch link:    https://lore.kernel.org/r/20260413090102.77980-1-phx0fer%40gmail.com
patch subject: [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet
config: arm64-randconfig-001-20260430 (https://download.01.org/0day-ci/archive/20260430/202604300902.FjrlfrkQ-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 8.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260430/202604300902.FjrlfrkQ-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604300902.FjrlfrkQ-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/nfc/nci/rsp.c:1:2: error: expected identifier or '(' before 'if'
     if (skb->len < sizeof(*rsp)) {
     ^~
   net/nfc/nci/rsp.c:5:2: error: expected identifier or '(' before 'if'
     if (skb->len < 6 + rsp_1->num_supported_rf_interfaces +
     ^~
   net/nfc/nci/rsp.c:10:2: error: expected identifier or '(' before 'if'
     if (skb->len < sizeof(*rsp_1))
     ^~


vim +1 net/nfc/nci/rsp.c

   > 1		if (skb->len < sizeof(*rsp)) {
     2			pr_err("short NCI_CORE_INIT_RSP v2 packet\n");
     3			return NCI_STATUS_SYNTAX_ERROR;
     4		}
     5		if (skb->len < 6 + rsp_1->num_supported_rf_interfaces +
     6				sizeof(*rsp_2)) {
     7			pr_err("short NCI_CORE_INIT_RSP v1 packet\n");
     8			return NCI_STATUS_SYNTAX_ERROR;
     9		}
    10		if (skb->len < sizeof(*rsp_1))
    11			return NCI_STATUS_SYNTAX_ERROR;
    12	// SPDX-License-Identifier: GPL-2.0-only
    13	/*
    14	 *  The NFC Controller Interface is the communication protocol between an
    15	 *  NFC Controller (NFCC) and a Device Host (DH).
    16	 *
    17	 *  Copyright (C) 2011 Texas Instruments, Inc.
    18	 *
    19	 *  Written by Ilan Elias <ilane@ti.com>
    20	 *
    21	 *  Acknowledgements:
    22	 *  This file is based on hci_event.c, which was written
    23	 *  by Maxim Krasnyansky.
    24	 */
    25	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet
  2026-04-13  9:01 [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet Dudu Lu
  2026-04-30  1:43 ` kernel test robot
@ 2026-04-30  3:03 ` kernel test robot
  1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2026-04-30  3:03 UTC (permalink / raw)
  To: Dudu Lu, netdev
  Cc: llvm, oe-kbuild-all, davem, edumazet, kuba, pabeni, Dudu Lu

Hi Dudu,

kernel test robot noticed the following build errors:

[auto build test ERROR on net/main]
[also build test ERROR on net-next/main linus/master horms-ipvs/master v7.1-rc1 next-20260429]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Dudu-Lu/nfc-nci-Add-skb-length-validation-in-nci_core_init_rsp_packet/20260423-210923
base:   net/main
patch link:    https://lore.kernel.org/r/20260413090102.77980-1-phx0fer%40gmail.com
patch subject: [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet
config: arm64-randconfig-004-20260430 (https://download.01.org/0day-ci/archive/20260430/202604301024.q9hVP893-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 5bac06718f502014fade905512f1d26d578a18f3)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260430/202604301024.q9hVP893-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604301024.q9hVP893-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/nfc/nci/rsp.c:1:2: error: expected identifier or '('
       1 |         if (skb->len < sizeof(*rsp)) {
         |         ^
   net/nfc/nci/rsp.c:5:2: error: expected identifier or '('
       5 |         if (skb->len < 6 + rsp_1->num_supported_rf_interfaces +
         |         ^
   net/nfc/nci/rsp.c:10:2: error: expected identifier or '('
      10 |         if (skb->len < sizeof(*rsp_1))
         |         ^
   In file included from net/nfc/nci/rsp.c:29:
   In file included from include/linux/interrupt.h:11:
   In file included from include/linux/hardirq.h:11:
   In file included from arch/arm64/include/asm/hardirq.h:17:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:588:
   In file included from include/linux/irqdesc.h:5:
   In file included from include/linux/irq_work.h:6:
   In file included from include/linux/rcuwait.h:6:
   In file included from include/linux/sched/signal.h:6:
   include/linux/signal.h:98:11: warning: array index 3 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
      98 |                 return (set->sig[3] | set->sig[2] |
         |                         ^        ~
   include/uapi/asm-generic/signal.h:62:2: note: array 'sig' declared here
      62 |         unsigned long sig[_NSIG_WORDS];
         |         ^
   In file included from net/nfc/nci/rsp.c:29:
   In file included from include/linux/interrupt.h:11:
   In file included from include/linux/hardirq.h:11:
   In file included from arch/arm64/include/asm/hardirq.h:17:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:588:
   In file included from include/linux/irqdesc.h:5:
   In file included from include/linux/irq_work.h:6:
   In file included from include/linux/rcuwait.h:6:
   In file included from include/linux/sched/signal.h:6:
   include/linux/signal.h:98:25: warning: array index 2 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
      98 |                 return (set->sig[3] | set->sig[2] |
         |                                       ^        ~
   include/uapi/asm-generic/signal.h:62:2: note: array 'sig' declared here
      62 |         unsigned long sig[_NSIG_WORDS];
         |         ^
   In file included from net/nfc/nci/rsp.c:29:
   In file included from include/linux/interrupt.h:11:
   In file included from include/linux/hardirq.h:11:
   In file included from arch/arm64/include/asm/hardirq.h:17:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:588:
   In file included from include/linux/irqdesc.h:5:
   In file included from include/linux/irq_work.h:6:
   In file included from include/linux/rcuwait.h:6:
   In file included from include/linux/sched/signal.h:6:
   include/linux/signal.h:99:4: warning: array index 1 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
      99 |                         set->sig[1] | set->sig[0]) == 0;
         |                         ^        ~
   include/uapi/asm-generic/signal.h:62:2: note: array 'sig' declared here
      62 |         unsigned long sig[_NSIG_WORDS];
         |         ^
   In file included from net/nfc/nci/rsp.c:29:
   In file included from include/linux/interrupt.h:11:
   In file included from include/linux/hardirq.h:11:
   In file included from arch/arm64/include/asm/hardirq.h:17:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:588:
   In file included from include/linux/irqdesc.h:5:
   In file included from include/linux/irq_work.h:6:
   In file included from include/linux/rcuwait.h:6:
   In file included from include/linux/sched/signal.h:6:
   include/linux/signal.h:101:11: warning: array index 1 is past the end of the array (that has type 'unsigned long[1]') [-Warray-bounds]
     101 |                 return (set->sig[1] | set->sig[0]) == 0;
         |                         ^        ~
   include/uapi/asm-generic/signal.h:62:2: note: array 'sig' declared here
      62 |         unsigned long sig[_NSIG_WORDS];
         |         ^
   In file included from net/nfc/nci/rsp.c:29:
   In file included from include/linux/interrupt.h:11:
   In file included from include/linux/hardirq.h:11:
   In file included from arch/arm64/include/asm/hardirq.h:17:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:588:
   In file included from include/linux/irqdesc.h:5:
   In file included from include/linux/irq_work.h:6:
   In file included from include/linux/rcuwait.h:6:
   In file included from include/linux/sched/signal.h:6:
   include/linux/signal.h:114:11: warning: array index 3 is past the end of the array (that has type 'const unsigned long[1]') [-Warray-bounds]
     114 |                 return  (set1->sig[3] == set2->sig[3]) &&
         |                          ^         ~
   include/uapi/asm-generic/signal.h:62:2: note: array 'sig' declared here
      62 |         unsigned long sig[_NSIG_WORDS];
         |         ^
   In file included from net/nfc/nci/rsp.c:29:
   In file included from include/linux/interrupt.h:11:
   In file included from include/linux/hardirq.h:11:
   In file included from arch/arm64/include/asm/hardirq.h:17:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:588:
   In file included from include/linux/irqdesc.h:5:
   In file included from include/linux/irq_work.h:6:
   In file included from include/linux/rcuwait.h:6:
   In file included from include/linux/sched/signal.h:6:
   include/linux/signal.h:114:27: warning: array index 3 is past the end of the array (that has type 'const unsigned long[1]') [-Warray-bounds]
     114 |                 return  (set1->sig[3] == set2->sig[3]) &&


vim +1 net/nfc/nci/rsp.c

   > 1		if (skb->len < sizeof(*rsp)) {
     2			pr_err("short NCI_CORE_INIT_RSP v2 packet\n");
     3			return NCI_STATUS_SYNTAX_ERROR;
     4		}
     5		if (skb->len < 6 + rsp_1->num_supported_rf_interfaces +
     6				sizeof(*rsp_2)) {
     7			pr_err("short NCI_CORE_INIT_RSP v1 packet\n");
     8			return NCI_STATUS_SYNTAX_ERROR;
     9		}
    10		if (skb->len < sizeof(*rsp_1))
    11			return NCI_STATUS_SYNTAX_ERROR;
    12	// SPDX-License-Identifier: GPL-2.0-only
    13	/*
    14	 *  The NFC Controller Interface is the communication protocol between an
    15	 *  NFC Controller (NFCC) and a Device Host (DH).
    16	 *
    17	 *  Copyright (C) 2011 Texas Instruments, Inc.
    18	 *
    19	 *  Written by Ilan Elias <ilane@ti.com>
    20	 *
    21	 *  Acknowledgements:
    22	 *  This file is based on hci_event.c, which was written
    23	 *  by Maxim Krasnyansky.
    24	 */
    25	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-30  3:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13  9:01 [PATCH] nfc: nci: Add skb length validation in nci_core_init_rsp_packet Dudu Lu
2026-04-30  1:43 ` kernel test robot
2026-04-30  3:03 ` kernel test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox