Re: [PATCH net v4] net: nfc: nci: Fix parameter validation for packet data

Next message: Andrew Morton: "Re: [PATCH 1/1] mm/page_alloc: auto-tune min_free_kbytes on atomic allocation failure"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH net] net: bnge: add AUXILIARY_BUS to Kconfig dependencies"
Next in thread: Michael Thalmeier: "Re: [PATCH net v4] net: nfc: nci: Fix parameter validation for packet data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Sun Jan 04 2026 - 13:13:45 EST

On Tue, 23 Dec 2025 08:25:52 +0100 Michael Thalmeier wrote:
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
> index 418b84e2b260..a5cafcd10cc3 100644
> --- a/net/nfc/nci/ntf.c
> +++ b/net/nfc/nci/ntf.c

> @@ -380,6 +384,10 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
> pr_debug("rf_tech_specific_params_len %d\n",
> ntf.rf_tech_specific_params_len);
>
> + if (skb->len < (data - skb->data) +
> + ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
> + return -EINVAL;

Are we validating ntf.rf_tech_specific_params_len against the
extraction logic in nci_extract_rf_params_nfca_passive_poll()
and friends?