[PATCH net v2] nfc: llcp: bound SNL TLV parsing to the skb and add length checks

[PATCH net v2] nfc: llcp: bound SNL TLV parsing to the skb and add length checks

[Doruk Tan Ozturk]

nfc_llcp_recv_snl() walked the SNL TLV list using a u16 offset/length
pair derived from skb->len, without bounding reads to the actual skb
data. Three problems followed:

  - For a short frame (skb->len < LLCP_HEADER_SIZE), tlv_len underflowed.
  - The per-TLV header (type, length) was read without checking that two
    bytes remained.
  - A declared TLV length could run past the end of the buffer, and an
    SDREQ with length == 0 made "service_name_len = length - 1" underflow
    to SIZE_MAX, driving an out-of-bounds read in the following strncmp()
    / nfc_llcp_sock_from_sn(). The SDRES case likewise read tlv[2]/tlv[3]
    without a length check.

A nearby NFC device can reach this without authentication; LLCP link
activation happens automatically after NFC-DEP.

Walk the TLV list by pointer, bounded by skb_tail_pointer(), and validate
each TLV declared length before use. Add explicit length checks for
SDREQ (>= 1) and SDRES (>= 2).

Found by 0sec automated security-research tooling (https://0sec.ai).

Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
v2:
 - Walk by pointer bounded on skb_tail_pointer(); drop the 16-bit
   offset/tlv_len math and fix the short-frame underflow (David Laight).
 - Add an SDRES length >= 2 check alongside SDREQ length >= 1 (David Laight).
 - Bound the SDREQ service-name pr_debug to the field length (no over-read).
 - Rebased onto linux-nfc for-next (David Heidelberg).
 net/nfc/llcp_core.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index dc65c719f..d23ca815a 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1286,8 +1286,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 {
 	struct nfc_llcp_sock *llcp_sock;
 	u8 dsap, ssap, type, length, tid, sap;
-	const u8 *tlv;
-	u16 tlv_len, offset;
+	const u8 *tlv, *tlv_end;
 	const char *service_name;
 	size_t service_name_len;
 	struct nfc_llcp_sdp_tlv *sdp;
@@ -1306,21 +1305,28 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 	}
 
 	tlv = &skb->data[LLCP_HEADER_SIZE];
-	tlv_len = skb->len - LLCP_HEADER_SIZE;
-	offset = 0;
+	tlv_end = skb_tail_pointer(skb);
 	sdres_tlvs_len = 0;
 
-	while (offset < tlv_len) {
+	while (tlv + 2 < tlv_end) {
 		type = tlv[0];
 		length = tlv[1];
 
+		if (tlv + 2 + length > tlv_end)
+			break;
+
 		switch (type) {
 		case LLCP_TLV_SDREQ:
+			if (length < 1)
+				break;
+
 			tid = tlv[2];
 			service_name = (char *) &tlv[3];
 			service_name_len = length - 1;
 
-			pr_debug("Looking for %.16s\n", service_name);
+			pr_debug("Looking for %.*s\n",
+				 (int)min_t(size_t, service_name_len, 16),
+				 service_name);
 
 			if (service_name_len == strlen("urn:nfc:sn:sdp") &&
 			    !strncmp(service_name, "urn:nfc:sn:sdp",
@@ -1380,6 +1386,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 			break;
 
 		case LLCP_TLV_SDRES:
+			if (length < 2)
+				break;
+
 			mutex_lock(&local->sdreq_lock);
 
 			pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
@@ -1408,7 +1417,6 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 			break;
 		}
 
-		offset += length + 2;
 		tlv += length + 2;
 	}
 
-- 
2.53.0

Re: [PATCH net v2] nfc: llcp: bound SNL TLV parsing to the skb and add length checks

[David Laight]

On Wed,  3 Jun 2026 15:59:35 +0200
Doruk Tan Ozturk <doruk@0sec.ai> wrote:

> nfc_llcp_recv_snl() walked the SNL TLV list using a u16 offset/length
> pair derived from skb->len, without bounding reads to the actual skb
> data. Three problems followed:
> 
>   - For a short frame (skb->len < LLCP_HEADER_SIZE), tlv_len underflowed.
>   - The per-TLV header (type, length) was read without checking that two
>     bytes remained.
>   - A declared TLV length could run past the end of the buffer, and an
>     SDREQ with length == 0 made "service_name_len = length - 1" underflow
>     to SIZE_MAX, driving an out-of-bounds read in the following strncmp()
>     / nfc_llcp_sock_from_sn(). The SDRES case likewise read tlv[2]/tlv[3]
>     without a length check.
> 
> A nearby NFC device can reach this without authentication; LLCP link
> activation happens automatically after NFC-DEP.
> 
> Walk the TLV list by pointer, bounded by skb_tail_pointer(), and validate
> each TLV declared length before use. Add explicit length checks for
> SDREQ (>= 1) and SDRES (>= 2).
> 
> Found by 0sec automated security-research tooling (https://0sec.ai).
> 
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
> ---
> v2:
>  - Walk by pointer bounded on skb_tail_pointer(); drop the 16-bit
>    offset/tlv_len math and fix the short-frame underflow (David Laight).
>  - Add an SDRES length >= 2 check alongside SDREQ length >= 1 (David Laight).
>  - Bound the SDREQ service-name pr_debug to the field length (no over-read).
>  - Rebased onto linux-nfc for-next (David Heidelberg).
>  net/nfc/llcp_core.c | 22 +++++++++++++++-------
>  1 file changed, 15 insertions(+), 7 deletions(-)
> 
> diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
> index dc65c719f..d23ca815a 100644
> --- a/net/nfc/llcp_core.c
> +++ b/net/nfc/llcp_core.c
> @@ -1286,8 +1286,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
>  {
>  	struct nfc_llcp_sock *llcp_sock;
>  	u8 dsap, ssap, type, length, tid, sap;
> -	const u8 *tlv;
> -	u16 tlv_len, offset;
> +	const u8 *tlv, *tlv_end;
>  	const char *service_name;
>  	size_t service_name_len;
>  	struct nfc_llcp_sdp_tlv *sdp;
> @@ -1306,21 +1305,28 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
>  	}
>  
>  	tlv = &skb->data[LLCP_HEADER_SIZE];
> -	tlv_len = skb->len - LLCP_HEADER_SIZE;
> -	offset = 0;
> +	tlv_end = skb_tail_pointer(skb);

Only processing the linear part of the skb deserves a comment.

>  	sdres_tlvs_len = 0;
>  
> -	while (offset < tlv_len) {
> +	while (tlv + 2 < tlv_end) {
>  		type = tlv[0];
>  		length = tlv[1];
>  
> +		if (tlv + 2 + length > tlv_end)
> +			break;
> +
>  		switch (type) {
>  		case LLCP_TLV_SDREQ:
> +			if (length < 1)
> +				break;

I'm pretty sure a zero length 'service_name' makes no sense.

> +
>  			tid = tlv[2];
>  			service_name = (char *) &tlv[3];
>  			service_name_len = length - 1;
>  
> -			pr_debug("Looking for %.16s\n", service_name);
> +			pr_debug("Looking for %.*s\n",
> +				 (int)min_t(size_t, service_name_len, 16),
> +				 service_name);

I'm sure you don't need min_t() here.
In fact if you change the type of service_name_len to int you don't need
the outer cast either.
The domain of the value is [0..254] it isn't going to overflow.

>  
>  			if (service_name_len == strlen("urn:nfc:sn:sdp") &&
>  			    !strncmp(service_name, "urn:nfc:sn:sdp",
> @@ -1380,6 +1386,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
>  			break;
>  
>  		case LLCP_TLV_SDRES:
> +			if (length < 2)
> +				break;

Someone with knowledge of the protocol can probably tell you that the
length should be exactly 2.

-- David

> +
>  			mutex_lock(&local->sdreq_lock);
>  
>  			pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
> @@ -1408,7 +1417,6 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
>  			break;
>  		}
>  
> -		offset += length + 2;
>  		tlv += length + 2;
>  	}
>