[PATCH net v2] nfc: digital: clamp SENSF_RES length to the destination buffer

Next message: Pranjal Shrivastava: "Re: [PATCH v1 4/7] iommufd: Reject invalid read count in iommufd_fault_fops_read()"
Previous message: Aleksa Sarai: "Re: linux-next: build failure after merge of the vfs-brauner tree"
Next in thread: Alexander Lobakin: "Re: [PATCH net v2] nfc: digital: clamp SENSF_RES length to the destination buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Doruk Tan Ozturk

Date: Wed Jun 03 2026 - 10:22:04 EST

digital_in_recv_sensf_res() memcpy()s resp->len bytes from a remote
NFC-F device response into the NFC_SENSF_RES_MAXSIZE-byte target.sensf_res
field without an upper-bound check. A nearby malicious NFC-F device can
send an oversized SENSF_RES response to overflow the stack-local struct
nfc_target.

Clamp resp->len to NFC_SENSF_RES_MAXSIZE before the copy.

Found by 0sec automated security-research tooling (https://0sec.ai).

Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>
---
v2:
- Clamp resp->len with min_t() before the copy (Alexander Lobakin).
- Add Fixes: tag and Cc: stable (Alexander Lobakin).
- Frame as a stack buffer overflow (saved-return overwrite not demonstrated).
net/nfc/digital_technology.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c
index ae63c5eb0..ae6487c10 100644
--- a/net/nfc/digital_technology.c
+++ b/net/nfc/digital_technology.c
@@ -778,6 +778,8 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg,

sensf_res = (struct digital_sensf_res *)resp->data;

+ resp->len = min_t(unsigned int, resp->len, NFC_SENSF_RES_MAXSIZE);
+
memcpy(target.sensf_res, sensf_res, resp->len);
target.sensf_res_len = resp->len;

--
2.53.0