From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44EA3257855 for ; Tue, 19 May 2026 01:23:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779153785; cv=none; b=uM8txUUDs6w3vUd2asb7YWRWO2ZacmieIUBKdQbJXv/SN05ZGM2IY2awFAmc1JNzVvHgUiUAAXr6GSxM/HI6HUpolm1z/k+nMFLtlI5RM4CwVZ8jgnz68WZ0ghVuTVgo8jPmnECMTo5SxvqrWQZT9RD/gHs1c5MG1JGTGBNOyVI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779153785; c=relaxed/simple; bh=VeXWv1s7VjIj16f62IeF3AHt/aQZkX3KYCOUQT1VU0s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=h0CtbN819FwDoM/3U0/nlN04j20u1BhW+ccl53eCnEszzcmMgjYIXM2RI9e1qQEyfX8LXEp4IVoUn3pcdkLRQ0dqtP9dh3Sdk5Kjx1YwQHuzpBzYqp6m1TXJKVCUxwsmZzVVEp6DQMlhCLEE5Vi6fhund81MdOd1n8jxdd0xhzs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DjiWy7Gt; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DjiWy7Gt" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-48d102471a4so23361745e9.2 for ; Mon, 18 May 2026 18:23:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779153783; x=1779758583; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JsZN4KBbcJX1FoY6/tUwgCFPOKTIi4RrtSn6JymXQo4=; b=DjiWy7Gt2o13EAY6WreAHqQWHjsPARbZ3CbVns8iFOnfswX4upOkm0Vj1eqVk0TJom VzBsOUAcToXs2dIekG088Cc94uQ4DkiBAZwlVSDVfVdJmmpbqHAP9/evg995SToNLvOP 7ZzePy7P5OJBn0GnaTip+Uf6FSPt5ihuJtrfoEIBJxz6AboQH/we9q5hGirTeCAgGsOn Rj5P4OVcGbZ6ed+J8Q2+gs5qmDySAiNjJo8c7XOsSuiepUSwlWXttf8Zb9Z/JfCsSj8S 7HH7VxFjm9A3VV9XxIH+dDfYCKp2eLB8vptaQVtAxG4OqGaUNdkoZ9CfpmKvh/xHM6cM r7wA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779153783; x=1779758583; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=JsZN4KBbcJX1FoY6/tUwgCFPOKTIi4RrtSn6JymXQo4=; b=NxpskERTscVDfkVQyS5zqg/GUr6WwSm9BFUL/AcgU8tr/wSdvCSQgUvipvWuFsGsR6 UqXeGsOwqJyZZRSBH8fgdnZTQOxzHQss3OzFDr4kBab4dbpiuhjuc9rrpqRzgIvYYqeJ ht24COajBA3jemt1rc/MB6gwVwiadu/ScnTgo68u5/MENuRA5WbuFheWyCGmUVTEgc/X dclvG+ruM/ylwLeJmWVJUKNKj56Lko9aB8bue/1gXXXBrZfvGLORW6YWl7Q8q74OTR9h nSfJGdEF7G4a/YMPy56FRzvG6FBf5Twmy7OV0SHbNN+APomLBtzntZdMgjQaJs7oNm1V Xc6w== X-Gm-Message-State: AOJu0YxXalQdgeDpRDiIowkZNNV895hG1OdjM2zojE8ROsEvCx/Gb2zz EurokoZhR7ZUzcpLZKwBfW8R5fhuAFKDRlElD4ZhAAvjZxpFwTsmOdFw X-Gm-Gg: Acq92OFsQVah9daarYTegfOi+rLiY2fLpSLqGDOhLehSOEStzbi1/NfoeZjrIHQnvXf cs1ieYE3QS6uS8fJKydh8vnkrR3JaVeJ2Lbrjpst52kKJq+nKwSXOGWpedcHThB0C5nyJpqsf6N 9gqexoVhFhKgErtGij9ib3bvm/jOMOob/2upZbmzAW42SQFkJeFCHQthfiTUy//nwt6QjYzwoMU 4PjzF5XmP1ebj0zx689kcmeZc6F/orc5QefvEYzjmASnALgDKKGCA6me0t6LfQk9lEcydWcDd8X +/9WdlAlcOMz9Ja+G0yXv5EJDSoMkW8q2vBKL6qtT3h9ZKqsghciplSkmcwiJveFMm3y5nMKbPa W4eicSYhvFjaPJNeeAX63iPOzVqt0CgqIlU7VmOd0Y5v+iBP8laToHVSVFwgpjBtHczSq5csMK5 dPS60HesC/eN86g/+0bOepNpmc871Dgn+aJkkkkS9u1buCA8pNpiCfhe0xPO634EQrL0mmRuxxG Da6G6phV0B8 X-Received: by 2002:a05:600d:10:b0:489:e696:8362 with SMTP id 5b1f17b1804b1-48fe60d7882mr221269375e9.13.1779153782352; Mon, 18 May 2026 18:23:02 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45d9ec39ff1sm44255416f8f.10.2026.05.18.18.22.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 18:23:02 -0700 (PDT) From: Muhammad Bilal To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, oe-linux-nfc@lists.linux.dev, david+nfc@ixit.cz, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH net 1/2] nfc: llcp: fix OOB read and u8 offset wrap in TLV parsers Date: Mon, 18 May 2026 21:19:36 -0400 Message-ID: <20260519011937.12903-2-meatuni001@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260519011937.12903-1-meatuni001@gmail.com> References: <20260519011937.12903-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit nfc_llcp_parse_gb_tlv() and nfc_llcp_parse_connection_tlv() contain three related bugs in their TLV parsing loops: 1. 'offset' is declared u8 but tlv_array_len is u16. When TLV data advances offset past 255 it silently wraps to zero, causing infinite loops or double-processing of buffer data. 2. Before reading tlv[0] (type) and tlv[1] (length) there is no check that offset+2 <= tlv_array_len. A truncated TLV causes an OOB read of one byte past the buffer end. 3. After reading the length field, the value bytes are accessed without checking offset+2+length <= tlv_array_len. A crafted length=0xFF on a short buffer causes up to 255 bytes of OOB read past the buffer end. Both functions are reachable without authentication via nfc_llcp_set_remote_gb() which feeds remote LLCP general bytes directly into nfc_llcp_parse_gb_tlv() with no additional validation. Fix all three issues by widening offset from u8 to u16 and adding bounds checks for both the TLV header and value field before each access. Fixes: 3df40eb3a2ea ("nfc: constify several pointers to u8, char and sk_buff") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- net/nfc/llcp_commands.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c index 291f26fac..9162f8161 100644 --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -193,7 +193,8 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, const u8 *tlv_array, u16 tlv_array_len) { const u8 *tlv = tlv_array; - u8 type, length, offset = 0; + u8 type, length; + u16 offset = 0; pr_debug("TLV array length %d\n", tlv_array_len); @@ -201,9 +202,20 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, return -ENODEV; while (offset < tlv_array_len) { + if (offset + 2 > tlv_array_len) { + pr_err("Truncated TLV header at offset %u\n", offset); + return -EINVAL; + } + type = tlv[0]; length = tlv[1]; + if (offset + 2 + length > tlv_array_len) { + pr_err("TLV length %u overflows buffer at offset %u\n", + length, offset); + return -EINVAL; + } + pr_debug("type 0x%x length %d\n", type, length); switch (type) { @@ -243,7 +255,8 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, const u8 *tlv_array, u16 tlv_array_len) { const u8 *tlv = tlv_array; - u8 type, length, offset = 0; + u8 type, length; + u16 offset = 0; pr_debug("TLV array length %d\n", tlv_array_len); @@ -251,9 +264,20 @@ int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, return -ENOTCONN; while (offset < tlv_array_len) { + if (offset + 2 > tlv_array_len) { + pr_err("Truncated TLV header at offset %u\n", offset); + return -EINVAL; + } + type = tlv[0]; length = tlv[1]; + if (offset + 2 + length > tlv_array_len) { + pr_err("TLV length %u overflows buffer at offset %u\n", + length, offset); + return -EINVAL; + } + pr_debug("type 0x%x length %d\n", type, length); switch (type) { -- 2.54.0