From: Bryam Vargas <hexlabsecurity@proton.me>
To: Simon Horman <horms@kernel.org>
Cc: David Heidelberg <david@ixit.cz>,
Robert Dolca <robert.dolca@intel.com>,
Samuel Ortiz <sameo@linux.intel.com>,
Kang Chen <void0red@gmail.com>,
oe-linux-nfc@lists.linux.dev, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] nfc: fdp: reject an oversized device-reported packet length
Date: Wed, 17 Jun 2026 04:41:45 +0000 [thread overview]
Message-ID: <20260617044138.347012-1-hexlabsecurity@proton.me> (raw)
In-Reply-To: <20260616090035.GS712698@horms.kernel.org>
> So I wonder if the check you are adding below should also guard
> against phy->next_read_size < FDP_NCI_I2C_MIN_PAYLOAD.
Agreed. Both routes are reachable: a length packet with tmp[2] == 0 &&
tmp[3] < 2 gives 3 or 4 directly, and the + 3 can carry the u16 store
past 65535 (tmp[2] == tmp[3] == 0xff -> 65538, truncated to 2).
next_read_size then drops below the 2-byte header + 1-byte LRC that
fdp_nci_i2c_remove_len_lrc() strips, and the short read also leaves
tmp[2]/tmp[3] unrefreshed when the next packet is parsed as a length
packet, so the following length comes from stale buffer bytes. It is not
a second overflow -- skb_pull()/skb_trim() are self-guarding, so the
frame is malformed rather than out of bounds -- but the desync is real
and bounding it is correct.
v2 folds both ends into one range check on the stored value, so the
truncation case is covered too. It also carries a fix for an skb leak in
the same function (a device that sends two data packets in one call
leaks the first skb); I am happy to split that into its own patch if you
would prefer.
I will add your Suggested-by.
Bryam
prev parent reply other threads:[~2026-06-17 4:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 8:04 [PATCH] nfc: fdp: reject an oversized device-reported packet length Bryam Vargas via B4 Relay
2026-06-16 9:00 ` Simon Horman
2026-06-17 4:41 ` Bryam Vargas [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260617044138.347012-1-hexlabsecurity@proton.me \
--to=hexlabsecurity@proton.me \
--cc=david@ixit.cz \
--cc=horms@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oe-linux-nfc@lists.linux.dev \
--cc=robert.dolca@intel.com \
--cc=sameo@linux.intel.com \
--cc=void0red@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox