lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <743244a0-41ea-4e7f-bd81-6814e852971d@redhat.com>
Date: Thu, 18 Dec 2025 16:36:16 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Michael Thalmeier <michael.thalmeier@...e.at>,
 Deepak Sharma <deepak.sharma.472935@...il.com>,
 Krzysztof Kozlowski <krzk@...nel.org>,
 Vadim Fedorenko <vadim.fedorenko@...ux.dev>, Simon Horman <horms@...nel.org>
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
 stable@...r.kernel.org
Subject: Re: [PATCH v2] net: nfc: nci: Fix parameter validation for packet
 data

On 12/10/25 9:16 AM, Michael Thalmeier wrote:
> Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for
> packet data") communication with nci nfc chips is not working any more.
> 
> The mentioned commit tries to fix access of uninitialized data, but
> failed to understand that in some cases the data packet is of variable
> length and can therefore not be compared to the maximum packet length
> given by the sizeof(struct).
> 
> For these cases it is only possible to check for minimum packet length.
> 
> Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")
> Cc: stable@...r.kernel.org
> Signed-off-by: Michael Thalmeier <michael.thalmeier@...e.at>
> ---
> Changes in v2:
> - Reference correct commit hash

Minor nit: you should include the target tree ('net' in this case) in
the subj prefix.

>  net/nfc/nci/ntf.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
> index 418b84e2b260..5161e94f067f 100644
> --- a/net/nfc/nci/ntf.c
> +++ b/net/nfc/nci/ntf.c
> @@ -58,7 +58,8 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
>  	struct nci_conn_info *conn_info;
>  	int i;
>  
> -	if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
> +	/* Minimal packet size for num_entries=1 is 1 x __u8 + 1 x conn_credit_entry */
> +	if (skb->len < (sizeof(__u8) + sizeof(struct conn_credit_entry)))
>  		return -EINVAL;

You can still perform a complete check, splitting such operation in two
steps:

First ensure that input contains enough data to include the length
related field; after reading such field check the the length is valid
and the packet len matches it.

>  
>  	ntf = (struct nci_core_conn_credit_ntf *)skb->data;
> @@ -364,7 +365,8 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
>  	const __u8 *data;
>  	bool add_target = true;
>  
> -	if (skb->len < sizeof(struct nci_rf_discover_ntf))
> +	/* Minimal packet size is 5 if rf_tech_specific_params_len=0 */
> +	if (skb->len < (5 * sizeof(__u8)))

Instead of using a magic number, you could/should use:
	 offsetof(struct nci_rf_discover_ntf, rf_tech_specific_params_len)

and will make the comment unneeded. Also the same consideration about
full validation apply here.

>  		return -EINVAL;
>  
>  	data = skb->data;
> @@ -596,7 +598,10 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	const __u8 *data;
>  	int err = NCI_STATUS_OK;
>  
> -	if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
> +	/* Minimal packet size is 11 if
> +	 * f_tech_specific_params_len=0 and activation_params_len=0
> +	 */
> +	if (skb->len < (11 * sizeof(__u8)))
>  		return -EINVAL;

Again all the above applies here, too.

/P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ