Re: [PATCH net 2/2] NFC: digital: Bounds check Felica response before sensf_res memcpy

Next message: Nayna Jain: "Re: [PATCH v3] KEYS: trusted: Debugging as a feature"
Previous message: Jonathan Cameron: "Re: [PATCH v4 1/4] staging: iio: adc: ad7816: redefine mode constants to start from 0"
In reply to: Greg Kroah-Hartman: "[PATCH net 2/2] NFC: digital: Bounds check Felica response before sensf_res memcpy"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net 1/2] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Sun Apr 12 2026 - 14:48:40 EST

On Thu, 9 Apr 2026 17:18:15 +0200 Greg Kroah-Hartman wrote:
> A malicious NFC peer can send a SENSF_RES that is longer than the
> NFC_SENSF_RES_MAXSIZE (18 byte) sensf_res field in the onstack struct
> nfc_target. digital_in_recv_sensf_res() validates that the response is
> at least DIGITAL_SENSF_RES_MIN_LENGTH bytes but applies no upper bound
> before memcpy(target.sensf_res, sensf_res, resp->len) is called,
> allowing a stack buffer overflow with attacker-controlled length and
> content.
>
> Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
> fixed identical missing checks for the same target->sensf_res field on
> the NCI path; the Digital Protocol path was never patched.
>
> Fix this all up by just rejecting responses that exceed
> NFC_SENSF_RES_MAXSIZE.

This driver's local definition of the sensf_res struct seems to
be larger than NFC_SENSF_RES_MAXSIZE. Something is off here.