[PATCH net 0/2] nfc: llcp: fix OOB reads and integer bugs in TLV parsers

Next message: Muhammad Bilal: "[PATCH net 1/2] nfc: llcp: fix OOB read and u8 offset wrap in TLV parsers"
Previous message: Edgecombe, Rick P: "Re: [PATCH v9 09/23] coco/tdx-host: Don't expose P-SEAMLDR information on CPUs with erratum"
Next in thread: Muhammad Bilal: "[PATCH net 1/2] nfc: llcp: fix OOB read and u8 offset wrap in TLV parsers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Muhammad Bilal

Date: Mon May 18 2026 - 21:25:14 EST

This series fixes memory safety bugs in the NFC LLCP TLV parsing code,
reachable from a remote NFC peer via crafted LLCP frames.

Patch 1 fixes nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv():
- u8 offset wraps to zero after 255 (widened to u16)
- OOB read of TLV header on truncated buffer
- OOB read of value field via attacker-controlled length byte

Patch 2 fixes nfc_llcp_recv_snl():
- OOB read of TLV header when tlv_len - offset == 1
- OOB read of SDREQ value via attacker-controlled length
- SIZE_MAX underflow when length == 0 in service_name_len,
bypassing the sn_len == 0 guard in nfc_llcp_sock_from_sn()

Previously reported to security@xxxxxxxxxx on 2026-05-15. Willy Tarreau
advised posting to public lists as NFC is currently orphaned.

Muhammad Bilal (2):
nfc: llcp: fix OOB read and u8 offset wrap in TLV parsers
nfc: llcp: add missing bounds checks in nfc_llcp_recv_snl()

net/nfc/llcp_commands.c | 28 ++++++++++++++++++++++++++--
net/nfc/llcp_core.c | 23 +++++++++++++++++++++--
2 files changed, 47 insertions(+), 4 deletions(-)

--
2.54.0