Re: [PATCH net v2] nfc: digital: clamp SENSF_RES length to the destination buffer

[Alexander Lobakin]

From: Doruk Tan Ozturk <doruk@xxxxxxx>
Date: Wed,  3 Jun 2026 16:13:55 +0200

> digital_in_recv_sensf_res() memcpy()s resp->len bytes from a remote
> NFC-F device response into the NFC_SENSF_RES_MAXSIZE-byte target.sensf_res
> field without an upper-bound check. A nearby malicious NFC-F device can
> send an oversized SENSF_RES response to overflow the stack-local struct
> nfc_target.
> 
> Clamp resp->len to NFC_SENSF_RES_MAXSIZE before the copy.
> 
> Found by 0sec automated security-research tooling (https://0sec.ai).
> 
> Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>

Reviewed-by: Alexander Lobakin <aleksander.lobakin@xxxxxxxxx>

> ---
> v2:
>  - Clamp resp->len with min_t() before the copy (Alexander Lobakin).
>  - Add Fixes: tag and Cc: stable (Alexander Lobakin).
>  - Frame as a stack buffer overflow (saved-return overwrite not demonstrated).
>  net/nfc/digital_technology.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c
> index ae63c5eb0..ae6487c10 100644
> --- a/net/nfc/digital_technology.c
> +++ b/net/nfc/digital_technology.c
> @@ -778,6 +778,8 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg,
>  
>  	sensf_res = (struct digital_sensf_res *)resp->data;
>  
> +	resp->len = min_t(unsigned int, resp->len, NFC_SENSF_RES_MAXSIZE);
> +
>  	memcpy(target.sensf_res, sensf_res, resp->len);
>  	target.sensf_res_len = resp->len;

I was wondering whether we need to record this in the kernel log.

But given that a malicious device can and would be happy to flood with
such packets, it would be pr_warn_once() or something similar at max.

But I guess it's not needed at all, we can just silently clamp such packets?

Thanks,
Olek