[PATCH net v4 0/5] nfc: fix multiple OOB reads in NCI and LLCP parsing paths
From: Lekë Hapçiu
Date: Fri Apr 24 2026 - 14:02:36 EST
This series fixes five out-of-bounds / underflow bugs in the kernel NFC
stack. All are reachable from a remote NFC peer that the local stack
has already associated with; in the LLCP cases the peer only needs to
send a malformed frame.
1/5 nci: u8 underflow in nci_store_general_bytes_nfc_dep() lets the
attacker-controlled atr_res_len skip the GT-offset subtraction
and cause an OOB read/write against general_bytes[].
2/5 llcp: parse_gb_tlv() / parse_connection_tlv() trust the TLV
length byte without checking remaining buffer, and the tlv16
accessors read past the end when length < 2.
3/5 llcp: nfc_llcp_recv_snl() has the same TLV-length trust bug, and
its SDRES handler uses an unbounded "%.16s" pr_debug() that
walks past service_name_len.
4/5 llcp: nfc_llcp_recv_dm() reads skb->data[3] without checking
skb->len, giving a 1-byte heap OOB read.
5/5 llcp: nfc_llcp_connect_sn() walks the TLV array with no length
validation; a crafted CONNECT frame drops it into OOB reads /
an unbounded service-name pointer.
The series applies on top of net/main.
Lekë Hapçiu (5):
nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep
nfc: llcp: fix TLV parsing in parse_gb_tlv and parse_connection_tlv
nfc: llcp: fix TLV parsing OOB in nfc_llcp_recv_snl
nfc: llcp: fix OOB read of DM reason byte in nfc_llcp_recv_dm
nfc: llcp: fix TLV parsing OOB in nfc_llcp_connect_sn
net/nfc/llcp_commands.c | 24 ++++++++++++++++++++++--
net/nfc/llcp_core.c | 35 ++++++++++++++++++++++++++++++++---
net/nfc/nci/ntf.c | 6 ++++++
3 files changed, 60 insertions(+), 5 deletions(-)
--
2.51.0