Re: [PATCH] nfc: hci: fix OOB heap read on short HCP frames.

Next message: Krzysztof Kozlowski: "Re: [PATCH v1 1/3] dt-bindings: arm: fsl: add Variscite VAR-SOM-MX91 Boards"
Previous message: Eric Dumazet: "Re: [PATCH] rose: fix OOB read on short CLEAR REQUEST frames."
In reply to: Eric Dumazet: "Re: [PATCH] nfc: hci: fix OOB heap read on short HCP frames."
Next in thread: Ashutosh Desai: "[PATCH v2] nfc: hci: fix OOB heap read on short HCP frames"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Thu Apr 09 2026 - 03:15:10 EST

On Wed, Apr 8, 2026 at 3:15 PM ashutosh desai
<ashutoshdesai993@xxxxxxxxx> wrote:
>
> Both nfc_hci_recv_from_llc() and nfc_hci_msg_rx_work() read byte 1 of
> an sk_buff (the HCP message header field) without first verifying the
> buffer contains at least NFC_HCI_HCP_HEADER_LEN (2) bytes.
>
> The SHDLC LLC layer only filters zero-length frames; a single-byte
> I-frame from a malicious NFC peer therefore reaches the HCI reassembly
> path where packet->message.header is read one byte past the valid data.
> The same issue is present in the NCI HCI implementation (nci/hci.c)
> via nci_hci_data_received_cb() and nci_hci_msg_rx_work().
>
> Add an explicit length check before accessing the message header at
> all four locations, freeing the skb on malformed input.
>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@xxxxxxxxx>
> ---

Same answer: Testing skb->len alone is not enough.

skbs can have fragments, pskb_may_pull() or skb_linearize() would be needed.