Re: [PATCH net v2] NFC: digital: bound SENSF response copy into nfc_target

Next message: Igor Pylypiv: "[PATCH v=2] ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands"
Previous message: Alexander Koskovich: "[PATCH 2/2] clk: qcom: clk-rpmh: Make all VRMs optional by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Sun Apr 12 2026 - 11:35:40 EST

On Tue, 7 Apr 2026 09:57:36 +0800 Pengpeng Hou wrote:
> digital_in_recv_sensf_res() copies the received SENSF response into
> struct nfc_target without bounding the copy to target.sensf_res. A full
> on-wire digital_sensf_res is 19 bytes long, while nfc_target stores 18
> bytes, so oversized or full-length frames can overwrite adjacent stack
> fields before digital_target_found() sees the target.
>
> Reject payloads larger than struct digital_sensf_res and clamp the copy
> into target.sensf_res so valid 19-byte responses keep working while the
> fixed destination buffer stays bounded.

You need to solve the riddle why this driver thinks the response is 19
bytes but the core wants to store only 18...

> Fixes: 8c0695e4998dd268ff2a05951961247b7e015651 ("NFC Digital: Add NFC-F technology support")

nit: the hash in the Fixes tag should be only 12 chars
--
pw-bot: cr