git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 9 Apr 2026 15:18:14 +0000 (17:18 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Sun, 12 Apr 2026 18:40:45 +0000 (11:40 -0700)
commit	46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1
tree	04dd7dfec0fe64712cc32d92d050622fb9973278	tree \| snapshot
parent	a6bd339dbb3514bce690fdcf252e788dfab4ee76	commit \| diff

NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device. The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).

ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this. This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.

Fix this by rejecting the response when the accumulated UID would exceed
the buffer.

Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.

Cc: Simon Horman <horms@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Thierry Escande <thierry.escande@linux.intel.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>