[PATCH 0/2] nfc: pn533: bound device-supplied lengths in the receive path

Next message: Michael Bommarito: "[PATCH 1/2] nfc: pn533: bound device-supplied lengths in the receive path"
Previous message: Chen Cheng: "[PATCH] md/raid5: let stripe batch bm_seq comparison wrap-safe"
Next in thread: Michael Bommarito: "[PATCH 1/2] nfc: pn533: bound device-supplied lengths in the receive path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Wed Jun 17 2026 - 23:00:13 EST

The PN533 receive path trusts several device-supplied length fields and
reads past the received buffer when they exceed it. The receive skb is
sized to the device's USB transfer length, so a malicious or counterfeit
PN53x reader triggers out-of-bounds reads in the standard/ACR122 frame
validators, in Type A target parsing (nfcid_len), and in the autopoll
record walk.

Michael Bommarito (2):
nfc: pn533: bound device-supplied lengths in the receive path
nfc: pn533: add KUnit tests for receive-path bounds

drivers/nfc/pn533/Kconfig | 9 +++
drivers/nfc/pn533/pn533.c | 125 +++++++++++++++++++++++++++++++++++++-
drivers/nfc/pn533/pn533.h | 3 +-
drivers/nfc/pn533/usb.c | 12 +++-
4 files changed, 144 insertions(+), 5 deletions(-)

--
2.53.0