On Mon, May 18, 2026 at 09:19:35PM -0400, Muhammad Bilal wrote:
> This series fixes memory safety bugs in the NFC LLCP TLV parsing code,
> reachable from a remote NFC peer via crafted LLCP frames.
>
> Patch 1 fixes nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv():
> - u8 offset wraps to zero after 255 (widened to u16)
> - OOB read of TLV header on truncated buffer
> - OOB read of value field via attacker-controlled length byte
>
> Patch 2 fixes nfc_llcp_recv_snl():
> - OOB read of TLV header when tlv_len - offset == 1
> - OOB read of SDREQ value via attacker-controlled length
> - SIZE_MAX underflow when length == 0 in service_name_len,
> bypassing the sn_len == 0 guard in nfc_llcp_sock_from_sn()
>
> Previously reported to security@kernel.org on 2026-05-15. Willy Tarreau
> advised posting to public lists as NFC is currently orphaned.
Reviewed-by: Simon Horman <horms@kernel.org>
The AI generated review at sashiko.dev has flagged a number
or pre-existing problems.
While several of them do seem to impact the effectiveness of these
patches I would suggest treating them as items for possible follow-up.
I say that in order to expanding the scope of this patch-set.
Which I believe risks growing significantly if related issues
are solved; because I fully expect that to lead to more related issues.
So I advocate an incremental approach, starting with this
patchset in it's current form.