Re: [PATCH net v4] net: nfc: nci: Fix parameter validation for packet data

Next message: Xu Du: "Re: [PATCH net-next v4 0/8] selftest: Extend tun/virtio coverage for GSO over UDP tunnel"
Previous message: Wenmeng Liu: "Re: [PATCH v2 1/4] dt-bindings: i2c: qcom-cci: Document sm6150 compatible"
In reply to: Jakub Kicinski: "Re: [PATCH net v4] net: nfc: nci: Fix parameter validation for packet data"
Next in thread: Jakub Kicinski: "Re: [PATCH net v4] net: nfc: nci: Fix parameter validation for packet data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Thalmeier

Date: Wed Jan 07 2026 - 05:08:20 EST

Am 04.01.26 um 19:13 schrieb Jakub Kicinski:

On Tue, 23 Dec 2025 08:25:52 +0100 Michael Thalmeier wrote:

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 418b84e2b260..a5cafcd10cc3 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c

@@ -380,6 +384,10 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
pr_debug("rf_tech_specific_params_len %d\n",
ntf.rf_tech_specific_params_len);
+ if (skb->len < (data - skb->data) +
+ ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
+ return -EINVAL;

Are we validating ntf.rf_tech_specific_params_len against the
extraction logic in nci_extract_rf_params_nfca_passive_poll()
and friends?

You are right. The current patch is only validating that the received packet is consistent in the way that the rf_tech_specific_params_len number of bytes is also contained in the buffer.

There is currently no code that validates that nci_extract_rf_params_nfca_passive_poll and friends only access the given number of bytes in their logic.
And to be frank, I do not know how to implement this without either cluttering the code with validation logic or re-implementing half the parsing logic for length validation.