[PATCH] net/nfc: bound SENSF response copy length

Next message: Derek John Clark: "Re: [PATCH 0/4] Add OneXPlayer Configuration HID Driver"
Previous message: Pengpeng Hou: "[PATCH] greybus: beagleplay: bound bootloader RX buffer copy"
Next in thread: Simon Horman: "Re: [PATCH] net/nfc: bound SENSF response copy length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Mar 21 2026 - 23:20:30 EST

`digital_in_recv_sensf_res()` only checks `resp->len` against the
minimum frame size before copying the response into
`target.sensf_res`. The destination is `NFC_SENSF_RES_MAXSIZE` bytes
long, so an oversized SENSF response can overwrite adjacent fields in
the stack-local `struct nfc_target` before the result is handed to
`digital_target_found()`.

Reject frames larger than the destination buffer before copying.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
net/nfc/digital_technology.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c
index 63f1b721c71d..8147e61c224a 100644
--- a/net/nfc/digital_technology.c
+++ b/net/nfc/digital_technology.c
@@ -768,6 +768,11 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg,

skb_pull(resp, 1);

+ if (resp->len > NFC_SENSF_RES_MAXSIZE) {
+ rc = -EIO;
+ goto exit;
+ }
+
memset(&target, 0, sizeof(struct nfc_target));

sensf_res = (struct digital_sensf_res *)resp->data;
--
2.50.1 (Apple Git-155)