net/nfc/llcp_commands.c | 24 ++++++++++++++++++++++-- net/nfc/llcp_core.c | 35 ++++++++++++++++++++++++++++++++--- net/nfc/nci/ntf.c | 6 ++++++ 3 files changed, 60 insertions(+), 5 deletions(-)
This series fixes five out-of-bounds / underflow bugs in the kernel NFC
stack. All are reachable from a remote NFC peer that the local stack
has already associated with; in the LLCP cases the peer only needs to
send a malformed frame.
1/5 nci: u8 underflow in nci_store_general_bytes_nfc_dep() lets the
attacker-controlled atr_res_len skip the GT-offset subtraction
and cause an OOB read/write against general_bytes[].
2/5 llcp: parse_gb_tlv() / parse_connection_tlv() trust the TLV
length byte without checking remaining buffer, and the tlv16
accessors read past the end when length < 2.
3/5 llcp: nfc_llcp_recv_snl() has the same TLV-length trust bug, and
its SDRES handler uses an unbounded "%.16s" pr_debug() that
walks past service_name_len.
4/5 llcp: nfc_llcp_recv_dm() reads skb->data[3] without checking
skb->len, giving a 1-byte heap OOB read.
5/5 llcp: nfc_llcp_connect_sn() walks the TLV array with no length
validation; a crafted CONNECT frame drops it into OOB reads /
an unbounded service-name pointer.
The series applies on top of net/main.
Lekë Hapçiu (5):
nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep
nfc: llcp: fix TLV parsing in parse_gb_tlv and parse_connection_tlv
nfc: llcp: fix TLV parsing OOB in nfc_llcp_recv_snl
nfc: llcp: fix OOB read of DM reason byte in nfc_llcp_recv_dm
nfc: llcp: fix TLV parsing OOB in nfc_llcp_connect_sn
net/nfc/llcp_commands.c | 24 ++++++++++++++++++++++--
net/nfc/llcp_core.c | 35 ++++++++++++++++++++++++++++++++---
net/nfc/nci/ntf.c | 6 ++++++
3 files changed, 60 insertions(+), 5 deletions(-)
--
2.51.0
On Fri, Apr 24, 2026 at 08:01:46PM +0200, Lekë Hapçiu wrote: > This series fixes five out-of-bounds / underflow bugs in the kernel NFC > stack. All are reachable from a remote NFC peer that the local stack > has already associated with; in the LLCP cases the peer only needs to > send a malformed frame. > > 1/5 nci: u8 underflow in nci_store_general_bytes_nfc_dep() lets the > attacker-controlled atr_res_len skip the GT-offset subtraction > and cause an OOB read/write against general_bytes[]. > 2/5 llcp: parse_gb_tlv() / parse_connection_tlv() trust the TLV > length byte without checking remaining buffer, and the tlv16 > accessors read past the end when length < 2. > 3/5 llcp: nfc_llcp_recv_snl() has the same TLV-length trust bug, and > its SDRES handler uses an unbounded "%.16s" pr_debug() that > walks past service_name_len. > 4/5 llcp: nfc_llcp_recv_dm() reads skb->data[3] without checking > skb->len, giving a 1-byte heap OOB read. > 5/5 llcp: nfc_llcp_connect_sn() walks the TLV array with no length > validation; a crafted CONNECT frame drops it into OOB reads / > an unbounded service-name pointer. > > The series applies on top of net/main. > > Lekë Hapçiu (5): > nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep > nfc: llcp: fix TLV parsing in parse_gb_tlv and parse_connection_tlv > nfc: llcp: fix TLV parsing OOB in nfc_llcp_recv_snl > nfc: llcp: fix OOB read of DM reason byte in nfc_llcp_recv_dm > nfc: llcp: fix TLV parsing OOB in nfc_llcp_connect_sn Hi, My only feedback on v4 of this patchset is that somehow the threading is broken: each of patch 1/5 - 5/5 should be a reply to the cover letter - 0/5 - but that does not seem to be the case. And some tooling, notably Sashiko, seems to rely on the entire patchset being contained in a single email thread.
On 4/28/26 2:55 PM, Simon Horman wrote: > On Fri, Apr 24, 2026 at 08:01:46PM +0200, Lekë Hapçiu wrote: >> This series fixes five out-of-bounds / underflow bugs in the kernel NFC >> stack. All are reachable from a remote NFC peer that the local stack >> has already associated with; in the LLCP cases the peer only needs to >> send a malformed frame. >> >> 1/5 nci: u8 underflow in nci_store_general_bytes_nfc_dep() lets the >> attacker-controlled atr_res_len skip the GT-offset subtraction >> and cause an OOB read/write against general_bytes[]. >> 2/5 llcp: parse_gb_tlv() / parse_connection_tlv() trust the TLV >> length byte without checking remaining buffer, and the tlv16 >> accessors read past the end when length < 2. >> 3/5 llcp: nfc_llcp_recv_snl() has the same TLV-length trust bug, and >> its SDRES handler uses an unbounded "%.16s" pr_debug() that >> walks past service_name_len. >> 4/5 llcp: nfc_llcp_recv_dm() reads skb->data[3] without checking >> skb->len, giving a 1-byte heap OOB read. >> 5/5 llcp: nfc_llcp_connect_sn() walks the TLV array with no length >> validation; a crafted CONNECT frame drops it into OOB reads / >> an unbounded service-name pointer. >> >> The series applies on top of net/main. >> >> Lekë Hapçiu (5): >> nfc: nci: fix u8 underflow in nci_store_general_bytes_nfc_dep >> nfc: llcp: fix TLV parsing in parse_gb_tlv and parse_connection_tlv >> nfc: llcp: fix TLV parsing OOB in nfc_llcp_recv_snl >> nfc: llcp: fix OOB read of DM reason byte in nfc_llcp_recv_dm >> nfc: llcp: fix TLV parsing OOB in nfc_llcp_connect_sn > > Hi, > > My only feedback on v4 of this patchset is that somehow the > threading is broken: each of patch 1/5 - 5/5 should be a reply > to the cover letter - 0/5 - but that does not seem to be the case. > And some tooling, notably Sashiko, seems to rely on the > entire patchset being contained in a single email thread. Given the above, I suggest re-posting. Also note that we are moving NFC to a specific subtree, see: https://lore.kernel.org/netdev/938496c6-84c1-4d53-bb56-73bbd7b2bdd7@ixit.cz/ please wait a bit for resubmission, possibly David will be already ready to catch them. Thanks, Paolo
© 2016 - 2026 Red Hat, Inc.