* [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing
@ 2026-05-25 20:24 Doruk Tan Ozturk
2026-06-02 11:12 ` David Heidelberg
2026-06-02 12:58 ` David Laight
0 siblings, 2 replies; 5+ messages in thread
From: Doruk Tan Ozturk @ 2026-05-25 20:24 UTC (permalink / raw)
To: oe-linux-nfc; +Cc: david+nfc, security, netdev, Doruk Tan Ozturk
Multiple out-of-bounds read vulnerabilities exist in the NFC LLCP TLV
parsers:
1. In nfc_llcp_recv_snl(), when an SDREQ TLV has length == 0,
service_name_len = length - 1 underflows to SIZE_MAX (size_t is
unsigned). The subsequent strncmp() and nfc_llcp_sock_from_sn()
calls then read unbounded kernel heap memory.
2. All LLCP TLV parsing loops (nfc_llcp_recv_snl, nfc_llcp_connect_sn,
nfc_llcp_parse_gb_tlv, nfc_llcp_parse_connection_tlv) read tlv[0]
and tlv[1] without first verifying that at least 2 bytes remain in
the buffer.
A nearby malicious NFC device can trigger these without authentication --
LLCP link activation happens automatically after NFC-DEP.
Fix by adding a minimum length check before the subtraction in the
SDREQ case, and adding bounds validation at the top of each TLV loop
iteration.
Found by pwnkit (https://github.com/0sec-labs/pwnkit), an automated
kernel source review tool by 0sec (https://0sec.ai).
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
net/nfc/llcp_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index XXXXXXX..YYYYYYY 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1300,6 +1300,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
while (offset < tlv_len) {
+ if (offset + 2 > tlv_len)
+ break;
+
type = tlv[0];
length = tlv[1];
@@ -1307,6 +1310,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
switch (type) {
case LLCP_TLV_SDREQ:
+ if (length < 1)
+ break;
+
tid = tlv[2];
service_name = (char *) &tlv[3];
service_name_len = length - 1;
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing
2026-05-25 20:24 [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing Doruk Tan Ozturk
@ 2026-06-02 11:12 ` David Heidelberg
2026-06-02 12:58 ` David Laight
1 sibling, 0 replies; 5+ messages in thread
From: David Heidelberg @ 2026-06-02 11:12 UTC (permalink / raw)
To: Doruk Tan Ozturk; +Cc: security, netdev, oe-linux-nfc
On 25/05/2026 22:24, Doruk Tan Ozturk wrote:
> Multiple out-of-bounds read vulnerabilities exist in the NFC LLCP TLV
> parsers:
>
> 1. In nfc_llcp_recv_snl(), when an SDREQ TLV has length == 0,
> service_name_len = length - 1 underflows to SIZE_MAX (size_t is
> unsigned). The subsequent strncmp() and nfc_llcp_sock_from_sn()
> calls then read unbounded kernel heap memory.
>
> 2. All LLCP TLV parsing loops (nfc_llcp_recv_snl, nfc_llcp_connect_sn,
> nfc_llcp_parse_gb_tlv, nfc_llcp_parse_connection_tlv) read tlv[0]
> and tlv[1] without first verifying that at least 2 bytes remain in
> the buffer.
>
> A nearby malicious NFC device can trigger these without authentication --
> LLCP link activation happens automatically after NFC-DEP.
>
> Fix by adding a minimum length check before the subtraction in the
> SDREQ case, and adding bounds validation at the top of each TLV loop
> iteration.
>
> Found by pwnkit (https://github.com/0sec-labs/pwnkit), an automated
> kernel source review tool by 0sec (https://0sec.ai).
>
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
> ---
> net/nfc/llcp_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index XXXXXXX..YYYYYYY 100644
Hello Doruk,
thank you for your patch.
The patch won't apply cleanly, could you please resent patch based against
recent https://codeberg.org/linux-nfc/linux/commits/branch/for-next ?
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -1300,6 +1300,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
>
> while (offset < tlv_len) {
> + if (offset + 2 > tlv_len)
I think it would be more descriptive use define, thus
(offset + LLCP_HEADER_SIZE > tlv_len)
David
> + break;
> +
> type = tlv[0];
> length = tlv[1];
>
> @@ -1307,6 +1310,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
> switch (type) {
> case LLCP_TLV_SDREQ:
> + if (length < 1)
> + break;
> +
> tid = tlv[2];
> service_name = (char *) &tlv[3];
> service_name_len = length - 1;
--
David Heidelberg
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing
2026-05-25 20:24 [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing Doruk Tan Ozturk
2026-06-02 11:12 ` David Heidelberg
@ 2026-06-02 12:58 ` David Laight
2026-06-03 16:55 ` Willy Tarreau
1 sibling, 1 reply; 5+ messages in thread
From: David Laight @ 2026-06-02 12:58 UTC (permalink / raw)
To: Doruk Tan Ozturk; +Cc: oe-linux-nfc, david+nfc, security, netdev
On Mon, 25 May 2026 22:24:27 +0200
Doruk Tan Ozturk <doruk@0sec.ai> wrote:
> Multiple out-of-bounds read vulnerabilities exist in the NFC LLCP TLV
> parsers:
>
> 1. In nfc_llcp_recv_snl(), when an SDREQ TLV has length == 0,
> service_name_len = length - 1 underflows to SIZE_MAX (size_t is
> unsigned). The subsequent strncmp() and nfc_llcp_sock_from_sn()
> calls then read unbounded kernel heap memory.
>
> 2. All LLCP TLV parsing loops (nfc_llcp_recv_snl, nfc_llcp_connect_sn,
> nfc_llcp_parse_gb_tlv, nfc_llcp_parse_connection_tlv) read tlv[0]
> and tlv[1] without first verifying that at least 2 bytes remain in
> the buffer.
>
> A nearby malicious NFC device can trigger these without authentication --
> LLCP link activation happens automatically after NFC-DEP.
>
> Fix by adding a minimum length check before the subtraction in the
> SDREQ case, and adding bounds validation at the top of each TLV loop
> iteration.
Why not fix it properly so that it doesn't read beyond the end of the skb.
1) Change offset and tlv_len to be 32bit - no point trying to do 16bit mathx.
2) Worry about non-linear skb - perhaps just process skb_header_len() bytes.
3) Allow for very short frames.
4) Don't read beyond the end of the skb data.
Something like:
tlv = skb->data + LLCP_HEADER_SIZE;
tlv_end = skb_tail_pointer(skb);
for (; tlv + 2 < tlv_end; tlv += 2 + length) {
type = tlv[0];
length = tlv[1];
if (tlv + 2 + length > tlv_end)
break;
Then as well as the check for length >= 1 in SDREQ (even 1 doesn't make sense),
the SDRES path is missing a check for length >= 2.
-- David
>
> Found by pwnkit (https://github.com/0sec-labs/pwnkit), an automated
> kernel source review tool by 0sec (https://0sec.ai).
>
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
> ---
> net/nfc/llcp_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index XXXXXXX..YYYYYYY 100644
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -1300,6 +1300,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
>
> while (offset < tlv_len) {
> + if (offset + 2 > tlv_len)
> + break;
> +
> type = tlv[0];
> length = tlv[1];
>
> @@ -1307,6 +1310,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
> switch (type) {
> case LLCP_TLV_SDREQ:
> + if (length < 1)
> + break;
> +
> tid = tlv[2];
> service_name = (char *) &tlv[3];
> service_name_len = length - 1;
>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing
2026-06-02 12:58 ` David Laight
@ 2026-06-03 16:55 ` Willy Tarreau
0 siblings, 0 replies; 5+ messages in thread
From: Willy Tarreau @ 2026-06-03 16:55 UTC (permalink / raw)
To: David Laight; +Cc: Doruk Tan Ozturk, oe-linux-nfc, david+nfc, netdev
On Tue, Jun 02, 2026 at 01:58:55PM +0100, David Laight wrote:
> On Mon, 25 May 2026 22:24:27 +0200
> Doruk Tan Ozturk <doruk@0sec.ai> wrote:
>
> > Multiple out-of-bounds read vulnerabilities exist in the NFC LLCP TLV
> > parsers:
> >
> > 1. In nfc_llcp_recv_snl(), when an SDREQ TLV has length == 0,
> > service_name_len = length - 1 underflows to SIZE_MAX (size_t is
> > unsigned). The subsequent strncmp() and nfc_llcp_sock_from_sn()
> > calls then read unbounded kernel heap memory.
> >
> > 2. All LLCP TLV parsing loops (nfc_llcp_recv_snl, nfc_llcp_connect_sn,
> > nfc_llcp_parse_gb_tlv, nfc_llcp_parse_connection_tlv) read tlv[0]
> > and tlv[1] without first verifying that at least 2 bytes remain in
> > the buffer.
> >
> > A nearby malicious NFC device can trigger these without authentication --
> > LLCP link activation happens automatically after NFC-DEP.
> >
> > Fix by adding a minimum length check before the subtraction in the
> > SDREQ case, and adding bounds validation at the top of each TLV loop
> > iteration.
>
> Why not fix it properly so that it doesn't read beyond the end of the skb.
> 1) Change offset and tlv_len to be 32bit - no point trying to do 16bit mathx.
> 2) Worry about non-linear skb - perhaps just process skb_header_len() bytes.
> 3) Allow for very short frames.
> 4) Don't read beyond the end of the skb data.
>
> Something like:
> tlv = skb->data + LLCP_HEADER_SIZE;
> tlv_end = skb_tail_pointer(skb);
> for (; tlv + 2 < tlv_end; tlv += 2 + length) {
> type = tlv[0];
> length = tlv[1];
> if (tlv + 2 + length > tlv_end)
> break;
>
> Then as well as the check for length >= 1 in SDREQ (even 1 doesn't make sense),
> the SDRES path is missing a check for length >= 2.
[ just moved sec@k.o to Bcc since this is public discussion, please
don't re-add it ]
Thanks,
Willy
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing
@ 2026-05-25 20:21 Doruk Tan Ozturk
0 siblings, 0 replies; 5+ messages in thread
From: Doruk Tan Ozturk @ 2026-05-25 20:21 UTC (permalink / raw)
To: linux-nfc; +Cc: krzysztof.kozlowski, security, netdev, Doruk Tan Ozturk
Multiple out-of-bounds read vulnerabilities exist in the NFC LLCP TLV
parsers:
1. In nfc_llcp_recv_snl(), when an SDREQ TLV has length == 0,
service_name_len = length - 1 underflows to SIZE_MAX (size_t is
unsigned). The subsequent strncmp() and nfc_llcp_sock_from_sn()
calls then read unbounded kernel heap memory.
2. All LLCP TLV parsing loops (nfc_llcp_recv_snl, nfc_llcp_connect_sn,
nfc_llcp_parse_gb_tlv, nfc_llcp_parse_connection_tlv) read tlv[0]
and tlv[1] without first verifying that at least 2 bytes remain in
the buffer.
A nearby malicious NFC device can trigger these without authentication --
LLCP link activation happens automatically after NFC-DEP.
Fix by adding a minimum length check before the subtraction in the
SDREQ case, and adding bounds validation at the top of each TLV loop
iteration.
Found by pwnkit (https://github.com/0sec-labs/pwnkit), an automated
kernel source review tool by 0sec (https://0sec.ai).
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
net/nfc/llcp_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index XXXXXXX..YYYYYYY 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1300,6 +1300,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
while (offset < tlv_len) {
+ if (offset + 2 > tlv_len)
+ break;
+
type = tlv[0];
length = tlv[1];
@@ -1307,6 +1310,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
switch (type) {
case LLCP_TLV_SDREQ:
+ if (length < 1)
+ break;
+
tid = tlv[2];
service_name = (char *) &tlv[3];
service_name_len = length - 1;
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-03 17:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-25 20:24 [PATCH] nfc: llcp: fix integer underflow and missing bounds checks in TLV parsing Doruk Tan Ozturk
2026-06-02 11:12 ` David Heidelberg
2026-06-02 12:58 ` David Laight
2026-06-03 16:55 ` Willy Tarreau
-- strict thread matches above, loose matches on Subject: below --
2026-05-25 20:21 Doruk Tan Ozturk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox