[PATCH net v3 0/4] nfc: fix multiple parsing vulnerabilities reachable from RF

[Lekë Hapçiu]

From: Lekë Hapçiu <framemain@xxxxxxxxxxx>

This series fixes four RF-reachable parsing vulnerabilities in the NFC
stack.  All four are triggerable from an NFC peer within ~4 cm of the
victim, before any pairing or authentication.

Patch 1 fixes a u8 underflow in nci_store_general_bytes_nfc_dep() where
a short ATR_RES/ATR_REQ causes (atr_res_len - NFC_ATR_RES_GT_OFFSET) to
wrap in u8 arithmetic, producing a bogus remote_gb_len that copies up
to 47 bytes beyond the valid activation parameter data.

Patch 2 hardens nfc_llcp_parse_gb_tlv() and
nfc_llcp_parse_connection_tlv().  The loop guard does not prove that
two header bytes can be read, and the peer-controlled `length` field
is used to advance `tlv` without bounds checking.  An 8-bit `offset`
against a 16-bit `tlv_array_len` compounds the issue in
parse_connection_tlv() where the TLV array can exceed 255 bytes.

Patch 3 fixes nfc_llcp_recv_snl().  The SNL handler accesses skb->data
before verifying skb->len, and its inner TLV loop has the same two
weaknesses as patch 2.  SDREQ handling additionally requires
length >= 2 because both tid (tlv[2]) and the start of service_name
(tlv[3]) are read.

Patch 4 fixes nfc_llcp_recv_dm() which reads skb->data[2] (the DM
reason byte) without checking skb->len >= 3.

Changes in v3:
 - Restore the u8 -> u16 `offset` promotion in patch 2.  v2 split this
   into a separate v1 patch and did not re-send it; v3 combines the
   promotion and the bounds checks in a single patch (Paolo Abeni).
 - Return -EINVAL from nci_store_general_bytes_nfc_dep() and propagate
   the error out of nci_rf_intf_activated_ntf_packet() rather than
   silently accepting the malformed packet (Paolo Abeni).
 - Drop the style-only paren removal in patch 1 (Paolo Abeni).
 - Condense commit message in patch 2 (Paolo Abeni).
 - Consolidate the length >= 1 checks before the switch in patch 2,
   keeping length >= 2 only for the llcp_tlv16() accessors (Paolo Abeni).
 - Tighten SDREQ length check from >=1 to >=2 in patch 3; the handler
   reads both tlv[2] and tlv[3] (Sashiko).
 - Add patch 4 for nfc_llcp_recv_dm().
 - Send as a fresh thread rather than In-Reply-To v2 (Paolo Abeni).

Lekë Hapçiu (4):
  nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep
  nfc: llcp: fix TLV parsing in parse_gb_tlv and parse_connection_tlv
  nfc: llcp: fix TLV parsing OOB in nfc_llcp_recv_snl
  nfc: llcp: fix OOB read of DM reason byte in nfc_llcp_recv_dm

 net/nfc/llcp_commands.c | 24 ++++++++++++++++++++++--
 net/nfc/llcp_core.c     | 16 ++++++++++++++++
 net/nfc/nci/ntf.c       | 10 +++++++++-
 3 files changed, 47 insertions(+), 3 deletions(-)

-- 
2.51.0