Re: [PATCH v3] nfc: hci: fix out-of-bounds read in HCP header parsing

Next message: Darrick J. Wong: "Re: [PATCH v3 1/3] xfs: zero entire directory data block header region at init"
Previous message: Oscar Salvador: "Re: [PATCH 3/6] hugetlb: make hugetlb_fault_mutex_hash() take PAGE_SIZE index"
In reply to: Ashutosh Desai: "[PATCH v3] nfc: hci: fix out-of-bounds read in HCP header parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Apr 13 2026 - 13:55:34 EST

On Mon, 13 Apr 2026 02:43:29 +0000 Ashutosh Desai wrote:
> nfc_hci_recv_from_llc() and nci_hci_data_received_cb() cast skb->data
> to struct hcp_packet and read the message header byte without checking
> that enough data is present in the linear sk_buff area. A malicious NFC
> peer can send a 1-byte HCP frame that passes through the SHDLC layer
> and reaches these functions, causing an out-of-bounds heap read.
>
> Fix this by adding pskb_may_pull() before each cast to ensure the full
> 2-byte HCP header is pulled into the linear area before it is accessed.

This is missing a Fixes tag.
Also please do not post new revision of a patch in response to the
previous one
--
pw-bot: cr
pv-bot: fixes
pv-bot: thread