From nobody Mon Jun  8 08:52:46 2026
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D349530C62D
	for <linux-kernel@vger.kernel.org>; Thu,  4 Jun 2026 15:22:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780586567; cv=none;
 b=tDwz6/OL1g9qRr2gVU660TVhtXGbZfNhNjc/sPrhvTenqXxCfsZM3/JYgtsTKcS5p2qQCb4mbDotVKcl5RJDc0heBDtWX+f+r7niCJTkoQTQnVaYQ1iKBu01z785hJnY/Kww/mhhUhZHCCbov0pjG4pNd5ry+WVHu8Kq0G7r/8Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780586567; c=relaxed/simple;
	bh=1N2/YBPS0yKsXsmbDL1qepre7J2Bz11f1c9p72hi8do=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=hCYP/2+ZTBcJNAj60PI4MXtg+A+D7dFhoxRK9lezaFiW3oTaJzixdfW4Jk7fcL4cnTqNAN3JFOpaaGvIoZEBNJ03wkEBzzX7lLTvBY+SXpgkyBT0zgd3uJIuIMsL3ZNUuobHVPVyTAhbEdzZlAghFJjJab7wKLDZ+MV6Dx8BMHg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=0sec.ai;
 spf=pass smtp.mailfrom=0sec.ai;
 dkim=temperror (0-bit key) header.d=0sec.ai header.i=@0sec.ai
 header.b=qB7T3zH3; arc=none smtp.client-ip=209.85.128.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=0sec.ai
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=0sec.ai
Authentication-Results: smtp.subspace.kernel.org;
	dkim=temperror (0-bit key) header.d=0sec.ai header.i=@0sec.ai
 header.b="qB7T3zH3"
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-490b3e03939so7530485e9.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Jun 2026 08:22:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=0sec.ai; s=google; t=1780586563; x=1781191363; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=d57863DyLZ15Xl19eK7AJO9RSKTq1a/9ZBFF5sPg3ZM=;
        b=qB7T3zH3RgO2fD6+qEcOdqINMzJOrpIK/NYinsXlgtz82tKyu+uPVnOsVLTWCv3enE
         VHy1m+r2RV6g9MLZpcjlIXfkE18LlFuPo4q132DT+CO2btoT6muCemBzM5K90JGKiKtC
         mFtjOKbmaSZhvWRNUrKKC91x9tMVn4gaw4NzbiqPFRszgctdOAWg0OL1GfdlxKIhn1p/
         3eLcIHvTtjpM4jVDY634muZkhRzS0BGho991Vs6MetuFvNjcxawoGNQ92GTTBwadxqwv
         BBCYzg4KRdl5KG7hwExSakl5R3+0WcgSDA+k64QFAv2yV2dIdeKmm+vl+S0m5kZ3la/h
         6AuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780586563; x=1781191363;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=d57863DyLZ15Xl19eK7AJO9RSKTq1a/9ZBFF5sPg3ZM=;
        b=snnFQ2/TOdVw+Jiq2+VRPfn83aVxW2EMvQ4jsZiYbQriLZQrfcXBbuyk2zvQcL952f
         FET0gD7ZsOmIhOiBmtuz0tRqS7V2PXN9EbmewQKVZhHsBreo0ouwb9CsP8cKp7njeGqJ
         e3tmukNvSqwV3UhxT6amCzHXutpF+MiiXnlXedLofK2bu4YK8vjHzJMGoCDcA4NRhtrP
         NWZ8jXrGMxJ4Vvq2z/9aH1K8FTr7cw+4tNr1ybvARP7+QPNHwuWk1jdoUsxzB6/Rgi8M
         YnIUwXaPjmphl7y4kpGrEu9V+HeAVK858mnbxMfdL0L42bi8VH8o3EoucVJHulp2EQnl
         VbYA==
X-Forwarded-Encrypted: i=1;
 AFNElJ+0t+XGcVRUfKoQD8JQ2Gh2bSIXvK05TH7GrUCdWgoCsjy74cGnwDtX4hmGEe9JwaMt2dBxpKlKLl5t6bU=@vger.kernel.org
X-Gm-Message-State: AOJu0YxvjOPlrjph78E7jDj1X+NEhsjl1BQqt3MDCshtT1x7xOPsTsz6
	UaLDqbJHCl7tVcQiTV2J3laVVCw6cO1hNd7AEVw6Clb6UqhTfTtjdSzHyeRAwSwg/jAW
X-Gm-Gg: Acq92OFWedyPFj4YleUQwM2plt45GCwx+uLn1wbuuY/eOv3ynw8z+zIKixfBnEIPtP3
	y9S0Nc7C+FJ8gaac4386Zr7uLj0hw4ffxXUQDluw6ypieqZZZSxs4i5vQR6dGOgIfWw1XHL6FV9
	BUP0DVBfwEUY5GkO+xmlEV/cmkuVluv9A360+KFr74FHrGAuUYIaJSZwgjnbHFui1F+nhQyhTvC
	1eQSjTelrmi0MQuNSeMIAr2JF3QlW9Zv6gLqSIudtz2qsmgeqvRoYBTUmLXPjWx3oANwXVtEanp
	YGB7RBjwEVOs1impOtu2IyXsoGqCOLPOSjTor18sDhHRrl/QgJtTAs8s5XCdt7X/JhFb+ScJ3al
	MSvWucdvboGt0uCgcRU53odJC0h4xIgwRdKi7R5+unc6P+yrKzGP6/6CJcPnx4V67zrRzR6q2c8
	sJVx+/TtFnmMo/AZKuPhJpV5pL+Un+f2h6TKrO9sb0McJ9CZUO78t5s+zXjRz07BMoac5OzhsiG
	HiTdKIvzjwVmYrcsPyXjhKpoVvV0dBObpnTeYelzmUxIsTVqXF5t9k=
X-Received: by 2002:a05:600c:8505:b0:490:3cf0:8d81 with SMTP id
 5b1f17b1804b1-490bc4ff20bmr71110015e9.13.1780586562894;
        Thu, 04 Jun 2026 08:22:42 -0700 (PDT)
Received: from PeakBook-Mini.tail8e484.ts.net ([178.197.223.24])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-490bc3cc140sm95418975e9.9.2026.06.04.08.22.41
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Thu, 04 Jun 2026 08:22:42 -0700 (PDT)
From: Doruk Tan Ozturk <doruk@0sec.ai>
To: david@ixit.cz,
	oe-linux-nfc@lists.linux.dev
Cc: david.laight.linux@gmail.com,
	horms@kernel.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH net v3] nfc: llcp: bound SNL TLV parsing to the skb and add
 length checks
Date: Thu,  4 Jun 2026 17:22:40 +0200
Message-ID: <20260604152240.14162-1-doruk@0sec.ai>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

nfc_llcp_recv_snl() walked the SNL TLV list using a u16 offset/length
pair derived from skb->len, without bounding reads to the actual skb
data. Three problems followed:

  - For a short frame (skb->len < LLCP_HEADER_SIZE), tlv_len underflowed.
  - The per-TLV header (type, length) was read without checking that two
    bytes remained.
  - A declared TLV length could run past the end of the buffer, and an
    SDREQ with length =3D=3D 0 made "service_name_len =3D length - 1" under=
flow
    (size_t), driving an out-of-bounds read in the following strncmp() /
    nfc_llcp_sock_from_sn(). The SDRES case likewise read tlv[2]/tlv[3]
    without a length check.

A nearby NFC device can reach this without authentication; LLCP link
activation happens automatically after NFC-DEP.

Walk the TLV list by pointer, bounded by skb_tail_pointer() over the
linear skb data, and validate each TLV declared length before use. Add
explicit length checks for SDREQ (>=3D 1) and SDRES (exactly 2).

Found by 0sec automated security-research tooling (https://0sec.ai).

Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
v3 (review cleanups, no functional change to the fix):
 - Comment that only the linear part of the skb is parsed (David Laight).
 - Use int for service_name_len and print the bounded service name
   directly with %.*s; drop the min_t()/cast (David Laight).
 - Require SDRES length to be exactly 2, not just >=3D 2 (David Laight).

v2: https://lore.kernel.org/netdev/20260603135935.62647-1-doruk@0sec.ai/
 - Walk by pointer bounded on skb_tail_pointer(); drop the 16-bit
   offset/tlv_len math and fix the short-frame underflow (David Laight).
 - Add an SDRES length check alongside SDREQ length >=3D 1 (David Laight).
 - Bound the SDREQ service-name pr_debug to the field length.
 - Rebased onto linux-nfc for-next (David Heidelberg).

 net/nfc/llcp_core.c | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index dc65c719f..aed5fe1af 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1286,10 +1286,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local =
*local,
 {
 	struct nfc_llcp_sock *llcp_sock;
 	u8 dsap, ssap, type, length, tid, sap;
-	const u8 *tlv;
-	u16 tlv_len, offset;
+	const u8 *tlv, *tlv_end;
 	const char *service_name;
-	size_t service_name_len;
+	int service_name_len;
 	struct nfc_llcp_sdp_tlv *sdp;
 	HLIST_HEAD(llc_sdres_list);
 	size_t sdres_tlvs_len;
@@ -1305,22 +1304,34 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local=
 *local,
 		return;
 	}
=20
+	/*
+	 * Walk the SNL TLV list in the linear part of the skb only,
+	 * bounded by skb_tail_pointer(). Each TLV needs a two-byte
+	 * header (type, length) and its declared length must fit before
+	 * the end; this also keeps the walk safe for very short frames.
+	 */
 	tlv =3D &skb->data[LLCP_HEADER_SIZE];
-	tlv_len =3D skb->len - LLCP_HEADER_SIZE;
-	offset =3D 0;
+	tlv_end =3D skb_tail_pointer(skb);
 	sdres_tlvs_len =3D 0;
=20
-	while (offset < tlv_len) {
+	while (tlv + 2 < tlv_end) {
 		type =3D tlv[0];
 		length =3D tlv[1];
=20
+		if (tlv + 2 + length > tlv_end)
+			break;
+
 		switch (type) {
 		case LLCP_TLV_SDREQ:
+			if (length < 1)
+				break;
+
 			tid =3D tlv[2];
 			service_name =3D (char *) &tlv[3];
 			service_name_len =3D length - 1;
=20
-			pr_debug("Looking for %.16s\n", service_name);
+			pr_debug("Looking for %.*s\n", service_name_len,
+				 service_name);
=20
 			if (service_name_len =3D=3D strlen("urn:nfc:sn:sdp") &&
 			    !strncmp(service_name, "urn:nfc:sn:sdp",
@@ -1380,6 +1391,9 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *=
local,
 			break;
=20
 		case LLCP_TLV_SDRES:
+			if (length !=3D 2)
+				break;
+
 			mutex_lock(&local->sdreq_lock);
=20
 			pr_debug("LLCP_TLV_SDRES: searching tid %d\n", tlv[2]);
@@ -1408,7 +1422,6 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *=
local,
 			break;
 		}
=20
-		offset +=3D length + 2;
 		tlv +=3D length + 2;
 	}
=20
--=20
2.53.0