From nobody Fri Apr 3 02:59:45 2026 Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11021080.outbound.protection.outlook.com [52.101.70.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56E1C2459ED; Tue, 24 Mar 2026 21:25:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.70.80 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774387545; cv=fail; b=e7MLFyyODHEst0N6mWp5hwb3JXWwNk3DLdY/qQesv1UgJcYdJ7lamutaWf2FKs9YwU1YZCIi+KLrMvmVtZKE40TPflnbfAW8CoQchJIQZdRzoAN7ZCMChPvdIpyPwfHS/zUBduQoaJvLo58ryQ8dIyHKT6r9L+l5FZY4VZu5Xzo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774387545; c=relaxed/simple; bh=3zroUDL8PruDCok/XHki1fGhx6cccvhbttoj9TxjOI4=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=OIoLP8eT4huyzrNS828GYPBWnWfyWMPw1HLfh6XBCgGTJO4aJCXcX90zjPxiTtEmBZpzaUcIR2pxD+6XM0U0DQBaAr9W3BK7/ozSFT0OVMzt1QzI5Kd9aP19HSDGMcfVOerKj828TiIliaIyYjy10cNztMoM5MWVHzn2MLCPubs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=1seal.org; spf=pass smtp.mailfrom=1seal.org; dkim=pass (2048-bit key) header.d=1seal.org header.i=@1seal.org header.b=NZQK7BZR; arc=fail smtp.client-ip=52.101.70.80 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=1seal.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=1seal.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=1seal.org header.i=@1seal.org header.b="NZQK7BZR" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZzHIXZaFdEPxNW6z5M50wq7WtFAa3+vNd9yIiGeRoC3OZGBqiMlX2BRUIr0HDjHjVSu3A5vst2DIHa0MlKmYnSad6CytlFb7N5wrV2FDqAh4dfcSj0K3Mn/73TJY0/0J0eHUuKDWv5hs3FVHqMu0c2LU8smXj90q6iFO25yBPODDtt5LNrqwfGgMWAaKNt6CLc4m+LDgDYeUIMTdr8bS4FJGRkTEun4n9Snbjw5n8hls3PkvR0zXmPheC8iL9HUMSJy/xxDr5dPp0HDH0QMigjVGAYHSL2qjNLpNyxA6a++kdmzxLzzxixeZxQxIXRqUlY4BBjNFnegQX7L5EQ6KKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3zroUDL8PruDCok/XHki1fGhx6cccvhbttoj9TxjOI4=; b=lrGU38Z1rc3hg4VoTuOE0CZ2beVVKbljNBs8oJuc7PCY2AZvQSxTpH3jZtnkETsfGlak5tQVXExFSzwHqCVgoWT3gbNQXtjzYlpogOJfRo2AI/WLRjp5kwVS6idJaTBS5JTqW3KnpMI+1E6QwU2i4NbH6bxlnbjrCi6QdQRCSjJf1E+rdXERZJ4L0QqDPwX4gsPWfpX4pyZqibYoBJHDHFm3crcBpoR4VudhBU+Nwy2P40DpvDdMNKigSnvD50NgJ/XY2nIyJ0I/9lhCHzmVnB6AZ07RHt8GoFxkOWGFnoR78hJR1HZ1FogeFRWNChrFFdvwV7V/C3PlOJ6BIMz+nA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=1seal.org; dmarc=pass action=none header.from=1seal.org; dkim=pass header.d=1seal.org; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1seal.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3zroUDL8PruDCok/XHki1fGhx6cccvhbttoj9TxjOI4=; b=NZQK7BZRYTj/TmwZdAdkRlwJWWUvNSa4dDkO/K9Nk3AGPvy7MzMNrY3UglQos89FYAUSwg9iWzR7FJjOqXmYylkOYjr2JirdZIIZ0BBeJYKAALI8v8R6Q+ad6WMxoR8vtyXy8cuvHIjiVxoE77TB5c5JoF0mVdcGFstrdksXgJBqXdhBO7nw1R3XHgLRvPMJ63p2kIeHGYPTWTkPr5aPt8FJod0DmgmfJPV+N/GfNEsAtK8TWrfLbxtgsDCjvsMSou0EdIIdFga6DNb0aUaOESdffn58ogzRxGQqmHFGiLbSROZVsEm7nWxZjjaFzel9h12hHv8oEmL44nOkU2g2jw== Received: from DBBPR04MB7673.eurprd04.prod.outlook.com (2603:10a6:10:202::5) by AM9PR04MB8100.eurprd04.prod.outlook.com (2603:10a6:20b:3e3::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9723.20; Tue, 24 Mar 2026 21:25:42 +0000 Received: from DBBPR04MB7673.eurprd04.prod.outlook.com ([fe80::cf39:9ba0:2b9c:419]) by DBBPR04MB7673.eurprd04.prod.outlook.com ([fe80::cf39:9ba0:2b9c:419%6]) with mapi id 15.20.9723.030; Tue, 24 Mar 2026 21:25:42 +0000 From: Oleh Konko To: "netdev@vger.kernel.org" CC: "davem@davemloft.net" , "edumazet@google.com" , "kuba@kernel.org" , "pabeni@redhat.com" , "horms@kernel.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: [PATCH net] nfc: llcp: fix tlv offset wrap and missing bounds checks Thread-Topic: [PATCH net] nfc: llcp: fix tlv offset wrap and missing bounds checks Thread-Index: AQHcu9TEe70waZEgdkmP07mjWVVWZQ== Date: Tue, 24 Mar 2026 21:25:41 +0000 Message-ID: <463598db3dea48fc963e8431181ae68a.security@1.0.0.127.in-addr.arpa> Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=1seal.org; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DBBPR04MB7673:EE_|AM9PR04MB8100:EE_ x-ms-office365-filtering-correlation-id: c79296e1-b9ba-4b8d-758c-08de89ebe711 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700021|18002099003|7055299006|56012099003; x-microsoft-antispam-message-info: XlORdauOnBXCEC7fvgflmcjl4oQ9kJ2eVAiTPTsD5gy1ehb40STJi0et3w1FPBCNMPlD7sPO/wgLTZV60P0KMoy8zzcq1kPnuYmtr5vQsD/sPESgEhei0hs9zEOLif/EUQ3K8pBo5p6GzuqI1Q78CILeL2b7cT3dWgPnf7fiE8uekXg6yGXWVCBRAyxiN51oXPE0zFx1abfgD1S6m2XsThPBEr0VHLANbV4dBAuM7d4eo56ezg1bDp42sxfwepyfMONU6o+RJgfHzWTrRuDI+xFdzhDkoWHl5JL8nC81YQ+3WF1FjA6bvYw94k0uU16lh/Fe+z+0a+BfbMNNLliHeCJYtOKwdQ6D6qq+xkEP/CpKkpX1iX6FjViLrTII6UNjbISVwYvHrmy/2UOCscEffcjBuMzXIbQvxgMhW+NioTXme/6Ot35WQUHFqdzqx6qs8Af8LEEzz6p3xgHo6/PhfO7LCO48GZLT8fmZDSdySY1GgTkNm+h38YBpVbHwPsZCFHf4lh1JRkwI7nb2Mj6xaptR8eAlblxy2PfdQulAx/pHm3Uu1a+m9a/gPpRqkSBfplY1zBgZqeKU37u+7H3SP1gXqTZFCZfkLE7w+wBalccpeiyUZq39y957OHDh5BdfE+4mBNm4uFAPLuW17TwgirszqPtyu7iOW9G9YMyn3u41iyCuuNpMgAf4EQNHBRvubrS1K+IJ87jUzaCeFJ7fW8Wl60LbCOcyF5CiNr4xd5yoKBoPZ21Sl73bPZUg93lCCPyxrvgBU9lzTidC9cG7HUo+YPXeqvjep/7zKzYde0MznSkeqTzrfG9+Qs1MGESk x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBBPR04MB7673.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700021)(18002099003)(7055299006)(56012099003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?V0kybHNQNC9Ua3FvY200SHJ6OGRtOHlrM2VkOHE5QVcyOXY1SkllUHZ3YW5v?= =?utf-8?B?aGJlUkFuYVdOd3VWQko5azNaM1FmZDI0VFZwc0ZqcGwyNVI1VEE2aDZHRllB?= =?utf-8?B?aitVb0xhMVROak94RU5WTExVZ0xWN3pkTlY2aWpVVnR2Sndac3hhWm1hUWdR?= =?utf-8?B?MXN1aktHb3RWaCtVbG9WZ2dneWJHSjVLTVN2WnhEQ3EzbUZZYXVjSnQ2ZEJv?= =?utf-8?B?dmhWcWJ5Z2Q3Yk9nNnROZURLRUFKOG92blNyOGlSMjJud3hVNnNuZ1ROSDdv?= =?utf-8?B?a0JrZjcvenpEejMvVXBOck1ybEJLL3cvUFE0blJGQnJCZTFhUGtiUWt5NW5L?= =?utf-8?B?S1NFb0YwWnRVeEZPcDVSYkc2MmxWMVdaejlYZjJNaGVrSHNUc1ZPWm8rL2R1?= =?utf-8?B?YXJZczdnWFM4MUpBUFA4Qk5OVzN3ak55bkpwVVFQL0JYUVRVOHd0ZjAvdi8w?= =?utf-8?B?QVl1Y2tDUjkxQWNHaFBhaTV0d2ZFeHhDT1VLVDM3ZjUzZFEyNERyRDVtNG4w?= =?utf-8?B?OUR3dTJKQlI2RDFTY2o4QUtqa1d0VVFUUmxWTms2MWZXc3k1MXZqQmRxZUlC?= =?utf-8?B?MnU5czhmV1IxTnFyL1RPU0tvdjA3NUhFM00xWjVoc2xsRk9aWUlFYnZ2T1FJ?= =?utf-8?B?KzdRU0p1UjdxYkg3MHM4UHBqYXZqMGcrK0NYckJpajErVURXOHFKU01uanB1?= =?utf-8?B?YVJZbldFb1R4Z0FCNHNjZmhYVHJLNGNTQy9vaWdEVUYwYkZPcjBTcFJtQWZr?= =?utf-8?B?QXQyVTE0b1VnTjlMUVczMTFqNGhPNFdRQWFWVnZ2b2ZFaW00YXpxNjF1SDNM?= =?utf-8?B?bm81Q0hVenN4R0NGaWFhTWtVdGt4b1ppNUVsU0hFREdENG9RVW9XTXQxMzdC?= =?utf-8?B?dmNja3NFTHRkclkyQTJOQ2s2Njd1MmJHRHc2SXo5R0hoRHNrYncrVlZWL3JL?= =?utf-8?B?Z3RQbm04aWJQTUU3ZHRHZHFxbzNuQXNWRHRiUUtCWkJuT3MrTHNDWW5nMlhV?= =?utf-8?B?YnQ5aytzcjZManB6ZVEvVW1DVlhKNFFobGRtbzFLZXMvSUFhTThEYXkvamtp?= =?utf-8?B?WWpiaHgvQjJFS1Z2ZHRCcHJiSllyTld5TkNuSDE3MXIzaWgyZG83VE5ieW93?= =?utf-8?B?V29za3dRb0IyRnlOSHZBdG9YTDF0Z091T3hVcDQvNWVOYTF3N2ZBaEFiUEJW?= =?utf-8?B?SFJtOSs3U3VaaURPUGVpVXpmcnRjUVp6NWpzRWZOTEwwSFhXSUtNbkM2Q1Jh?= =?utf-8?B?NURYVW0xQ2VFeVE3UHJLRTlXc0VTRWsremVKNHhnN05hZlJjN01TNDV3OEJq?= =?utf-8?B?RHMrdHdhbFVzY2Q5RENuUC9YTWh6K0RCTTcvS0ZZV2VIK0Z0TWh3VFRsWEZr?= =?utf-8?B?OEc1MzNUTjNYWlEzSUFRU0x1WFZ3d0tndmM2WVFpbDhpenhiQkZLdUNTeEJN?= =?utf-8?B?NGp2M01DOEJKZUFURE1wWTIvNVVPakt2ZGJkaE5OdEdiNzlKUmM4OCtTb1pH?= =?utf-8?B?STFmWldOZEZxZHoyUXUxcmlTZ0svamJBWEMwOE9pM01TeWc5UTRTMkxrVmNS?= =?utf-8?B?cmJxeHpYRzdDN1puYkpybTZHandLZ2I2NHcyaWpobUEzZnZ4dm9pZldNYVRX?= =?utf-8?B?d2xRY1RKOXl5a0c5bEsrQkJyeXBVR2o4MmIyeEVZWGZidDJVY0pqT1lSTDY0?= =?utf-8?B?a2poTGV3NXpHbDF1RDY1UWJmMkJ3RnRzcGlJWUVXb1VZdHd1NnFKWjZEZ0dW?= =?utf-8?B?czF4eWIyM2pqbS8rSlBsVzB5Z0haKzRPL1EyWnRlNFpBR0ZhUEJwZDMrb2x4?= =?utf-8?B?TGtaY1o5dWd6NmZrY3hRWnBOODNnQW1BVEI3NFJvYzZnTGtMeXpoOU11RS9n?= =?utf-8?B?aHJMOEx6cWFScktiVGVLcjNVaFB1Z2F5bEJxdkdaVElQZzJZNWYxWmJEVndK?= =?utf-8?B?SWV4eXF0bTlCdEZHVmh5d3R6QkRvN0ZjQmU0c05JeU1aVEw1cXZ4OTlVeis3?= =?utf-8?B?Q1hNWnZwa2xWSW5SNThlak92bHJwQ2lVR3hrTU80d0RlMEpCRUY5Wkpwc0FJ?= =?utf-8?B?cDZMT2s5QjM4U2VrRmJpZmtETFNZZ1J5cXczSGhvTWNWcElZYVdmQmVYZlVs?= =?utf-8?B?dlhUakRqNVo0elZuMWQ0MU4rZldlcFM2OVZIWmhBM0NwZkN1UTVoMWNxalBv?= =?utf-8?B?czZVS1N6eTVyNFFJRGtVcVNVRmxzMHMxRmZIaE15eXlKRVhzemRDZGlCMHd3?= =?utf-8?B?dVdERlZycFl3a2VHdHBxNDQ5K2Jldmw0cHgrRW84VlMxOFUwMytIR3RsUkp5?= =?utf-8?Q?zpVHbc12/X25uHyBF/?= Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: 1seal.org X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DBBPR04MB7673.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c79296e1-b9ba-4b8d-758c-08de89ebe711 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2026 21:25:41.9749 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: e701d992-0f02-433e-a019-4256abe96ea1 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: jxqcx0ACqa30N/JYTG07gV0uGha7qO0CoEM5+5Zt14dFshSfezBG5QWhg32d71KHVrCwugV60gDklJQVJy6/9A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR04MB8100 nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv() iterate a u16 tlv_array_len with a u8 offset. once cumulative TLV consumption crosses 255 bytes, offset wraps and the loop may continue past the declared TLV array bounds. both parsers also read tlv[1] before checking that a full 2-byte TLV header remains, and they advance by length + 2 without validating that the declared payload still fits in the remaining array. fix this by widening offset to u16 and by rejecting incomplete headers or truncated TLVs before dereferencing or advancing the cursor. Fixes: d646960f7986 ("NFC: Initial LLCP support") Cc: stable@vger.kernel.org Reported-by: Oleh Konko Signed-off-by: Oleh Konko --- net/nfc/llcp_commands.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c index 291f26fac..157afd62f 100644 --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -193,7 +193,8 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, const u8 *tlv_array, u16 tlv_array_len) { const u8 *tlv =3D tlv_array; - u8 type, length, offset =3D 0; + u8 type, length; + u16 offset =3D 0; =20 pr_debug("TLV array length %d\n", tlv_array_len); =20 @@ -201,6 +202,9 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, return -ENODEV; =20 while (offset < tlv_array_len) { + if (tlv_array_len - offset < 2) + return -EINVAL; + type =3D tlv[0]; length =3D tlv[1]; =20 @@ -227,6 +231,9 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, break; } =20 + if (tlv_array_len - offset < (u16)length + 2) + return -EINVAL; + offset +=3D length + 2; tlv +=3D length + 2; } @@ -243,7 +250,8 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock = *sock, const u8 *tlv_array, u16 tlv_array_len) { const u8 *tlv =3D tlv_array; - u8 type, length, offset =3D 0; + u8 type, length; + u16 offset =3D 0; =20 pr_debug("TLV array length %d\n", tlv_array_len); =20 @@ -251,6 +259,9 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock = *sock, return -ENOTCONN; =20 while (offset < tlv_array_len) { + if (tlv_array_len - offset < 2) + return -EINVAL; + type =3D tlv[0]; length =3D tlv[1]; =20 @@ -270,6 +281,9 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock = *sock, break; } =20 + if (tlv_array_len - offset < (u16)length + 2) + return -EINVAL; + offset +=3D length + 2; tlv +=3D length + 2; } --=20 2.50.0