git.ipfire.org Git - thirdparty/linux.git/commit

author	Ashutosh Desai <ashutoshdesai993@gmail.com>
	Tue, 5 May 2026 17:07:12 +0000 (17:07 +0000)
committer	David Heidelberg <david@ixit.cz>
	Thu, 7 May 2026 10:42:09 +0000 (12:42 +0200)
commit	f040e590c035bfd9553fe79ee9585caf1b14d67b
tree	a5c6d535270073d0691fbce9a3f502f55781504a	tree \| snapshot
parent	b493ea2765cc17cb8aa7e7544a4b6dcb05b6ed77	commit \| diff

nfc: hci: fix out-of-bounds read in HCP header parsing

Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.

Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.

Fixes: 8b8d2e08bf0d ("NFC: HCI support")
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com
Signed-off-by: David Heidelberg <david@ixit.cz>

net/nfc/hci/core.c		diff \| blob \| blame \| history
net/nfc/nci/hci.c		diff \| blob \| blame \| history