Re: [PATCH] net/nfc: bound SENSF response copy length

Next message: Ye Liu: "[PATCH 1/2] mm/memory_failure: use bool for hugetlb indicator in try_memory_failure_hugetlb"
Previous message: Pengpeng Hou: "Re: [PATCH] MIPS: validate DT bootargs before appending them"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Apr 06 2026 - 22:06:52 EST

Hi Simon,

Thanks, you're right about the net targeting, the NFC: digital:
prefix, and the missing Fixes tag.

You are also right that a valid full SENSF_RES can be 19 bytes long.
So instead of rejecting resp->len > NFC_SENSF_RES_MAXSIZE, v2 only
rejects payloads larger than struct digital_sensf_res, then clamps the
copy into the 18-byte sensf_res buffer inside struct nfc_target.

That keeps valid 19-byte responses working while still fixing the stack
overwrite in the target copy path. The lower-bound check remains on the
pre-skb_pull() frame length, and v2 only adds the post-pull upper bound
before treating the payload as struct digital_sensf_res.

Thanks,
Pengpeng