Re: [PATCH net v4] nfc: llcp: bound SNL TLV parsing to the skb and add length checks

[Simon Horman <horms@kernel.org>]

On Tue, Jun 09, 2026 at 10:25:43PM +0200, Doruk Tan Ozturk wrote:
> nfc_llcp_recv_snl() walked the SNL TLV list using a u16 offset/length
> pair derived from skb->len, without bounding reads to the actual skb
> data. Three problems followed:
> 
>   - For a short frame (skb->len < LLCP_HEADER_SIZE), tlv_len underflowed.
>   - The per-TLV header (type, length) was read without checking that two
>     bytes remained.
>   - A declared TLV length could run past the end of the buffer, and an
>     SDREQ with length == 0 made "service_name_len = length - 1" underflow
>     (size_t), driving an out-of-bounds read in the following strncmp() /
>     nfc_llcp_sock_from_sn(). The SDRES case likewise read tlv[2]/tlv[3]
>     without a length check.
> 
> A nearby NFC device can reach this without authentication; LLCP link
> activation happens automatically after NFC-DEP.
> 
> Walk the TLV list by pointer, bounded by skb_tail_pointer() over the
> linear skb data, and validate each TLV declared length before use. Add
> explicit length checks for SDREQ (>= 1) and SDRES (exactly 2).
> 
> Found by 0sec automated security-research tooling (https://0sec.ai).
> 
> Fixes: 19cfe5843e86 ("NFC: Initial SNL support")
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>

Reviewed-by: Simon Horman <horms@kernel.org>


FTR: There is AI-generated review of this patch-set available on both
     https://sashiko.dev and https://netdev-ai.bots.linux.dev/sashiko/
     While I don't think that review should effect progress of this patch
     you may wish to consider it in the context of possible follow-up.