Re: [PATCH] nfc: port100: guard against incomplete USB frames

Next message: Bill Wendling: "Re: [PATCH 1/2] Compiler Attributes: Add __counted_by_ptr macro"
Previous message: Jason Gunthorpe: "Re: [PATCH] iommufd/driver: Fix counter initialization for counted_by annotation"
In reply to: =?gb18030?b?Zmx5bm5uY2hlbiizwszss/4p?=: "[PATCH] nfc: port100: guard against incomplete USB frames"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Fri Nov 21 2025 - 14:45:12 EST

On Mon, Nov 17, 2025 at 12:22:15PM +0800, flynnnchen(陈天楚) wrote:
> Discovered by Atuin - Automated Vulnerability Discovery Engine.
>
> Validate that the URB payload is long enough for the frame header and the
> advertised data length before accessing it, so truncated transfers are
> rejected with -EIO, preventing the driver from reading out-of-bounds and
> leaking kernel memory to USB devices.
>
> Signed-off-by: Tianchu Chen <flynnnchen@xxxxxxxxxxx>

Thanks,

FWIIW, I agree with your analysis and solution.

I would add a fixes tag, as it is a fix for code present in the
net tree.

Perhaps this one: this seems to be the commit where the problem
was introduced.

Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")

And it would be best to explicitly target such a fix at the net
tree, like this:

Subject: [PATCH net] ...

On a process note, as the from address of your email doesn't match
the Signed-off-by line, I think it would be best to include a From:
line at the very beginning of the commit message, with your name
matching the Signed-off-by line.

i.e.

From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>

But over all this looks good to me.

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>