Re: [PATCH v7] nfc: hci: fix out-of-bounds read in HCP header parsing

Next message: Willy Tarreau: "Re: [PATCH v3 0/3] Documentation: security-bugs: new updates covering triage and AI"
Previous message: Leon Romanovsky: "Re: [PATCH v3 0/3] Documentation: security-bugs: new updates covering triage and AI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Sat May 09 2026 - 06:54:37 EST

On Tue, May 05, 2026 at 05:07:12PM +0000, Ashutosh Desai wrote:
> Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
> packet->header from skb->data at function entry without first checking
> that the buffer holds at least one byte. A malicious NFC peer can send
> a 0-byte HCP frame that passes through the SHDLC layer and reaches
> these functions, causing an out-of-bounds heap read of packet->header.
> The same 0-byte frame, if queued as a non-final fragment, also causes
> the reassembly loop to underflow msg_len to UINT_MAX, triggering
> skb_over_panic() when the reassembled skb is written.
>
> Fix this by adding a pskb_may_pull() check at the entry of each
> function before packet->header is first accessed. The existing
> pskb_may_pull() checks before the reassembled hcp_skb is cast to
> struct hcp_packet remain in place to guard the 2-byte HCP message
> header.
>
> Fixes: 8b8d2e08bf0d ("NFC: HCI support")
> Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
> Signed-off-by: Ashutosh Desai <ashutoshdesai993@xxxxxxxxx>

FTR: There is an AI-generated review of this patch available on sashiko.dev.
It seems to me that all of the issues flagged there are pre-existing and
need not impede progress of this patch.