Re: [PATCH net] nfc: nci: validate packet length when parsing NCI 2.x RF interfaces
From: David Heidelberg
Date: Sun Jun 21 2026 - 12:47:23 EST
On 11/06/2026 18:27, Zijing Yin wrote:
nci_core_init_rsp_packet_v2() parses the variable-length list of
supported RF interfaces carried in an NCI 2.x CORE_INIT_RSP without ever
validating the controller-supplied lengths against the size of the
received packet.
Each list entry is a (RF interface, RF extension count, RF extensions[])
tuple. The loop walks the list using the per-entry extension count
(rf_extension_cnt, up to 255) taken straight from the packet, so a
malformed CORE_INIT_RSP can advance the read pointer far past the end of
the skb data buffer. The stored interface count is clamped to
NCI_MAX_SUPPORTED_RF_INTERFACES so the write side is bounded, but the
read side runs off the end of the buffer.
A malformed CORE_INIT_RSP from the controller, also reachable from user
space through the virtual NCI device (CONFIG_NFC_VIRTUAL_NCI) once the
device has entered NCI 2.x mode, therefore makes the parser read past the
end of the response buffer while walking the interface list, copying the
out-of-bounds bytes into ndev->supported_rf_interfaces[].
Reject responses shorter than the fixed part of the structure, and make
sure each interface entry and its extension bytes lie within the received
packet before dereferencing them. A truncated or malformed list is
treated as a syntax error, which fails the CORE_INIT request instead of
reading out of bounds.
Fixes: bcd684aace34 ("net/nfc/nci: Support NCI 2.x initial sequence")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zijing Yin <yzjaurora@xxxxxxxxx>
---
net/nfc/nci/rsp.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
Hello Zijing,
in meanwhile [1] got merged earlier patch, which also seems to address the issue.
Could you review that the issue is now fixed for you?
The NFC tree is here [2].
Thank you and sorry for the late reply
David
[1] https://lore.kernel.org/all/20260527052625.3309581-1-yun.zhou@xxxxxxxxxxxxx/
[2] https://codeberg.org/linux-nfc/linux