1. Patchew
  2. linux
  3. View series

[PATCH] NFC: pn533: bound the UART receive buffer

Pengpeng Hou posted 1 patch 1 week, 4 days ago
There is a newer version of this series
drivers/nfc/pn533/uart.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] NFC: pn533: bound the UART receive buffer
Posted by Pengpeng Hou 1 week, 4 days ago 
pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.

Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/nfc/pn533/uart.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 6d2f520a5bc8..1b82b7b2a5fa 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -211,6 +211,9 @@ static size_t pn532_receive_buf(struct serdev_device *serdev,
 
 	timer_delete(&dev->cmd_timeout);
 	for (i = 0; i < count; i++) {
+		if (unlikely(!skb_tailroom(dev->recv_skb)))
+			skb_trim(dev->recv_skb, 0);
+
 		skb_put_u8(dev->recv_skb, *data++);
 		if (!pn532_uart_rx_is_frame(dev->recv_skb))
 			continue;
-- 
2.50.1 (Apple Git-155)
Re: [PATCH] NFC: pn533: bound the UART receive buffer
Posted by Paolo Abeni 1 week, 1 day ago 
On 3/23/26 8:24 AM, Pengpeng Hou wrote:
> pn532_receive_buf() appends every incoming byte to dev->recv_skb and
> only resets the buffer after pn532_uart_rx_is_frame() recognizes a
> complete frame. A continuous stream of bytes without a valid PN532 frame
> header therefore keeps growing the skb until skb_put_u8() hits the tail
> limit.
> 
> Drop the accumulated partial frame once the fixed receive buffer is full
> so malformed UART traffic cannot grow the skb past
> PN532_UART_SKB_BUFF_LEN.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>

This looks line 'net' material. Could you please provide a suitable
Fixes tag?

Thanks,

Paolo
[PATCH net v2] NFC: pn533: bound the UART receive buffer
Posted by Pengpeng Hou 1 week, 1 day ago 
pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.

Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.

Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- add the requested Fixes tag for the UART receive path

 drivers/nfc/pn533/uart.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 6d2f520a5bc8..1b82b7b2a5fa 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -211,6 +211,9 @@ static size_t pn532_receive_buf(struct serdev_device *serdev,
 
 	timer_delete(&dev->cmd_timeout);
 	for (i = 0; i < count; i++) {
+		if (unlikely(!skb_tailroom(dev->recv_skb)))
+			skb_trim(dev->recv_skb, 0);
+
 		skb_put_u8(dev->recv_skb, *data++);
 		if (!pn532_uart_rx_is_frame(dev->recv_skb))
 			continue;
-- 
2.50.1 (Apple Git-155)

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.