[PATCH] net: nfc: nci: Fix parameter validation for packet data

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net: nfc: nci: Fix parameter validation for packet data
@ 2025-12-09 13:21 Michael Thalmeier
  2025-12-09 16:31 ` Simon Horman
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Thalmeier @ 2025-12-09 13:21 UTC (permalink / raw)
  To: Deepak Sharma, Krzysztof Kozlowski, Vadim Fedorenko
  Cc: linux-kernel, netdev, Michael Thalmeier, stable

Since commit 8fcc7315a10a ("net: nfc: nci: Add parameter validation for
packet data") communication with nci nfc chips is not working any more.

The mentioned commit tries to fix access of uninitialized data, but
failed to understand that in some cases the data packet is of variable
length and can therefore not be compared to the maximum packet length
given by the sizeof(struct).

For these cases it is only possible to check for minimum packet length.

Fixes: 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>
---
 net/nfc/nci/ntf.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 418b84e2b260..5161e94f067f 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -58,7 +58,8 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
 	struct nci_conn_info *conn_info;
 	int i;
 
-	if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
+	/* Minimal packet size for num_entries=1 is 1 x __u8 + 1 x conn_credit_entry */
+	if (skb->len < (sizeof(__u8) + sizeof(struct conn_credit_entry)))
 		return -EINVAL;
 
 	ntf = (struct nci_core_conn_credit_ntf *)skb->data;
@@ -364,7 +365,8 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
 	const __u8 *data;
 	bool add_target = true;
 
-	if (skb->len < sizeof(struct nci_rf_discover_ntf))
+	/* Minimal packet size is 5 if rf_tech_specific_params_len=0 */
+	if (skb->len < (5 * sizeof(__u8)))
 		return -EINVAL;
 
 	data = skb->data;
@@ -596,7 +598,10 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
 	const __u8 *data;
 	int err = NCI_STATUS_OK;
 
-	if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
+	/* Minimal packet size is 11 if
+	 * f_tech_specific_params_len=0 and activation_params_len=0
+	 */
+	if (skb->len < (11 * sizeof(__u8)))
 		return -EINVAL;
 
 	data = skb->data;
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] net: nfc: nci: Fix parameter validation for packet data
  2025-12-09 13:21 [PATCH] net: nfc: nci: Fix parameter validation for packet data Michael Thalmeier
@ 2025-12-09 16:31 ` Simon Horman
  2025-12-10  8:01   ` Michael Thalmeier
  0 siblings, 1 reply; 3+ messages in thread
From: Simon Horman @ 2025-12-09 16:31 UTC (permalink / raw)
  To: Michael Thalmeier
  Cc: Deepak Sharma, Krzysztof Kozlowski, Vadim Fedorenko, linux-kernel,
	netdev, stable

On Tue, Dec 09, 2025 at 02:21:03PM +0100, Michael Thalmeier wrote:
> Since commit 8fcc7315a10a ("net: nfc: nci: Add parameter validation for
> packet data") communication with nci nfc chips is not working any more.
> 
> The mentioned commit tries to fix access of uninitialized data, but
> failed to understand that in some cases the data packet is of variable
> length and can therefore not be compared to the maximum packet length
> given by the sizeof(struct).
> 
> For these cases it is only possible to check for minimum packet length.
> 
> Fixes: 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data")

Hi Michael,

I don't see that hash in net. Perhaps it should be:

Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")

> Cc: stable@vger.kernel.org
> Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>

...

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] net: nfc: nci: Fix parameter validation for packet data
  2025-12-09 16:31 ` Simon Horman
@ 2025-12-10  8:01   ` Michael Thalmeier
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Thalmeier @ 2025-12-10  8:01 UTC (permalink / raw)
  To: Simon Horman
  Cc: Deepak Sharma, Krzysztof Kozlowski, Vadim Fedorenko, linux-kernel,
	netdev, stable

On 12/9/25 17:31, Simon Horman wrote:
> On Tue, Dec 09, 2025 at 02:21:03PM +0100, Michael Thalmeier wrote:
>> Since commit 8fcc7315a10a ("net: nfc: nci: Add parameter validation for
>> packet data") communication with nci nfc chips is not working any more.
>>
>> The mentioned commit tries to fix access of uninitialized data, but
>> failed to understand that in some cases the data packet is of variable
>> length and can therefore not be compared to the maximum packet length
>> given by the sizeof(struct).
>>
>> For these cases it is only possible to check for minimum packet length.
>>
>> Fixes: 8fcc7315a10a ("net: nfc: nci: Add parameter validation for packet data")
> 
> Hi Michael,
> 
> I don't see that hash in net. Perhaps it should be:
> 
> Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")

Hi Simon,

You are right. This was a hash from a stable branch.
I will send a v2.

> 
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>
> 
> ...


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-12-10  8:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-09 13:21 [PATCH] net: nfc: nci: Fix parameter validation for packet data Michael Thalmeier
2025-12-09 16:31 ` Simon Horman
2025-12-10  8:01   ` Michael Thalmeier

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).