lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251210081605.3855663-1-michael.thalmeier@hale.at>
Date: Wed, 10 Dec 2025 09:16:05 +0100
From: Michael Thalmeier <michael.thalmeier@...e.at>
To: Deepak Sharma <deepak.sharma.472935@...il.com>,
	Krzysztof Kozlowski <krzk@...nel.org>,
	Vadim Fedorenko <vadim.fedorenko@...ux.dev>,
	Simon Horman <horms@...nel.org>
Cc: linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	Michael Thalmeier <michael.thalmeier@...e.at>,
	stable@...r.kernel.org
Subject: [PATCH v2] net: nfc: nci: Fix parameter validation for packet data

Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for
packet data") communication with nci nfc chips is not working any more.

The mentioned commit tries to fix access of uninitialized data, but
failed to understand that in some cases the data packet is of variable
length and can therefore not be compared to the maximum packet length
given by the sizeof(struct).

For these cases it is only possible to check for minimum packet length.

Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")
Cc: stable@...r.kernel.org
Signed-off-by: Michael Thalmeier <michael.thalmeier@...e.at>
---
Changes in v2:
- Reference correct commit hash

---
 net/nfc/nci/ntf.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 418b84e2b260..5161e94f067f 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -58,7 +58,8 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
 	struct nci_conn_info *conn_info;
 	int i;
 
-	if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
+	/* Minimal packet size for num_entries=1 is 1 x __u8 + 1 x conn_credit_entry */
+	if (skb->len < (sizeof(__u8) + sizeof(struct conn_credit_entry)))
 		return -EINVAL;
 
 	ntf = (struct nci_core_conn_credit_ntf *)skb->data;
@@ -364,7 +365,8 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
 	const __u8 *data;
 	bool add_target = true;
 
-	if (skb->len < sizeof(struct nci_rf_discover_ntf))
+	/* Minimal packet size is 5 if rf_tech_specific_params_len=0 */
+	if (skb->len < (5 * sizeof(__u8)))
 		return -EINVAL;
 
 	data = skb->data;
@@ -596,7 +598,10 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
 	const __u8 *data;
 	int err = NCI_STATUS_OK;
 
-	if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
+	/* Minimal packet size is 11 if
+	 * f_tech_specific_params_len=0 and activation_params_len=0
+	 */
+	if (skb->len < (11 * sizeof(__u8)))
 		return -EINVAL;
 
 	data = skb->data;
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ