[PATCH net 0/2] nfc: llcp: fix OOB reads and integer bugs in TLV parsers

[PATCH net 0/2] nfc: llcp: fix OOB reads and integer bugs in TLV parsers

[Muhammad Bilal]

This series fixes memory safety bugs in the NFC LLCP TLV parsing code,
reachable from a remote NFC peer via crafted LLCP frames.

Patch 1 fixes nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv():
  - u8 offset wraps to zero after 255 (widened to u16)
  - OOB read of TLV header on truncated buffer
  - OOB read of value field via attacker-controlled length byte

Patch 2 fixes nfc_llcp_recv_snl():
  - OOB read of TLV header when tlv_len - offset == 1
  - OOB read of SDREQ value via attacker-controlled length
  - SIZE_MAX underflow when length == 0 in service_name_len,
    bypassing the sn_len == 0 guard in nfc_llcp_sock_from_sn()

Previously reported to security@kernel.org on 2026-05-15. Willy Tarreau
advised posting to public lists as NFC is currently orphaned.

Muhammad Bilal (2):
  nfc: llcp: fix OOB read and u8 offset wrap in TLV parsers
  nfc: llcp: add missing bounds checks in nfc_llcp_recv_snl()

 net/nfc/llcp_commands.c | 28 ++++++++++++++++++++++++++--
 net/nfc/llcp_core.c     | 23 +++++++++++++++++++++--
 2 files changed, 47 insertions(+), 4 deletions(-)

-- 
2.54.0

[PATCH net 1/2] nfc: llcp: fix OOB read and u8 offset wrap in TLV parsers

[Muhammad Bilal]

nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv() contain
three related bugs in their TLV parsing loops:

1. 'offset' is declared u8 but tlv_array_len is u16. When TLV data
   advances offset past 255 it silently wraps to zero, causing
   infinite loops or double-processing of buffer data.

2. Before reading tlv[0] (type) and tlv[1] (length) there is no
   check that offset+2 <= tlv_array_len. A truncated TLV causes
   an OOB read of one byte past the buffer end.

3. After reading the length field, the value bytes are accessed
   without checking offset+2+length <= tlv_array_len. A crafted
   length=0xFF on a short buffer causes up to 255 bytes of OOB
   read past the buffer end.

Both functions are reachable without authentication via
nfc_llcp_set_remote_gb() which feeds remote LLCP general bytes
directly into nfc_llcp_parse_gb_tlv() with no additional
validation.

Fix all three issues by widening offset from u8 to u16 and adding
bounds checks for both the TLV header and value field before each
access.

Fixes: 3df40eb3a2ea ("nfc: constify several pointers to u8, char and sk_buff")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
 net/nfc/llcp_commands.c | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 291f26fac..9162f8161 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -193,7 +193,8 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
 			  const u8 *tlv_array, u16 tlv_array_len)
 {
 	const u8 *tlv = tlv_array;
-	u8 type, length, offset = 0;
+	u8 type, length;
+	u16 offset = 0;
 
 	pr_debug("TLV array length %d\n", tlv_array_len);
 
@@ -201,9 +202,20 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
 		return -ENODEV;
 
 	while (offset < tlv_array_len) {
+		if (offset + 2 > tlv_array_len) {
+			pr_err("Truncated TLV header at offset %u\n", offset);
+			return -EINVAL;
+		}
+
 		type = tlv[0];
 		length = tlv[1];
 
+		if (offset + 2 + length > tlv_array_len) {
+			pr_err("TLV length %u overflows buffer at offset %u\n",
+			       length, offset);
+			return -EINVAL;
+		}
+
 		pr_debug("type 0x%x length %d\n", type, length);
 
 		switch (type) {
@@ -243,7 +255,8 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
 				  const u8 *tlv_array, u16 tlv_array_len)
 {
 	const u8 *tlv = tlv_array;
-	u8 type, length, offset = 0;
+	u8 type, length;
+	u16 offset = 0;
 
 	pr_debug("TLV array length %d\n", tlv_array_len);
 
@@ -251,9 +264,20 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
 		return -ENOTCONN;
 
 	while (offset < tlv_array_len) {
+		if (offset + 2 > tlv_array_len) {
+			pr_err("Truncated TLV header at offset %u\n", offset);
+			return -EINVAL;
+		}
+
 		type = tlv[0];
 		length = tlv[1];
 
+		if (offset + 2 + length > tlv_array_len) {
+			pr_err("TLV length %u overflows buffer at offset %u\n",
+			       length, offset);
+			return -EINVAL;
+		}
+
 		pr_debug("type 0x%x length %d\n", type, length);
 
 		switch (type) {
-- 
2.54.0

[PATCH net 2/2] nfc: llcp: add missing bounds checks in nfc_llcp_recv_snl()

[Muhammad Bilal]

nfc_llcp_recv_snl() processes remotely supplied SNL frames without
validating TLV buffer boundaries before accessing header and value
bytes, leading to three issues:

1. No bounds check before reading tlv[0] (type) and tlv[1] (length).
   When tlv_len - offset == 1, reading tlv[1] accesses one byte past
   the end of the skb data.

2. For LLCP_TLV_SDREQ entries, tlv[2] (tid) and tlv[3+]
   (service_name) are read without checking offset+2+length <= tlv_len,
   allowing out-of-bounds reads beyond the skb data boundary.

3. service_name_len = length - 1 with length as u8 and service_name_len
   as size_t. When length == 0, the subtraction yields SIZE_MAX on
   64-bit kernels due to integer promotion. The computed SIZE_MAX value
   is propagated into nfc_llcp_sock_from_sn() as sn_len, bypassing the
   sn_len == 0 guard and reaching subsequent comparison logic with an
   excessively large length argument.

Fix all three issues by:
  - Adding a header bounds check before reading tlv[0]/tlv[1].
  - Adding a value bounds check after reading length.
  - Rejecting SDREQ TLVs with length < 1 to prevent the SIZE_MAX
    underflow, while preserving length == 1 as a valid case.
  - Rejecting SDRES TLVs with length < 2 since both tlv[2] and
    tlv[3] are required.

Fixes: 19cfe5843e86 ("NFC: Initial SNL support")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
 net/nfc/llcp_core.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index db5bc6a87..da7c6377d 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1300,12 +1300,28 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 	sdres_tlvs_len = 0;
 
 	while (offset < tlv_len) {
-		type = tlv[0];
+		if (offset + 2 > tlv_len) {
+			pr_err("Truncated TLV header at offset %u\n", offset);
+			goto exit;
+		}
+
+		type   = tlv[0];
 		length = tlv[1];
 
+		if (offset + 2 + length > tlv_len) {
+			pr_err("TLV length %u overflows buffer at offset %u\n",
+			       length, offset);
+			goto exit;
+		}
+
 		switch (type) {
 		case LLCP_TLV_SDREQ:
-			tid = tlv[2];
+			if (length < 1) {
+				pr_err("SDREQ TLV length %u too short\n", length);
+				goto exit;
+			}
+
+			tid          = tlv[2];
 			service_name = (char *) &tlv[3];
 			service_name_len = length - 1;
 
@@ -1369,6 +1385,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 			break;
 
 		case LLCP_TLV_SDRES:
+			if (length < 2)
+				break;
+
 			mutex_lock(&local->sdreq_lock);
 
 			pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
-- 
2.54.0