lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4d6a1f0b-946e-4acb-bfe4-1e9317fd144e@hale.at>
Date: Wed, 7 Jan 2026 11:06:27 +0100
From: Michael Thalmeier <michael.thalmeier@...e.at>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Deepak Sharma <deepak.sharma.472935@...il.com>,
 Krzysztof Kozlowski <krzk@...nel.org>,
 Vadim Fedorenko <vadim.fedorenko@...ux.dev>, Simon Horman
 <horms@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
 Michael Thalmeier <michael@...lmeier.at>, stable@...r.kernel.org
Subject: Re: [PATCH net v4] net: nfc: nci: Fix parameter validation for packet
 data

Am 04.01.26 um 19:13 schrieb Jakub Kicinski:
> On Tue, 23 Dec 2025 08:25:52 +0100 Michael Thalmeier wrote:
>> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
>> index 418b84e2b260..a5cafcd10cc3 100644
>> --- a/net/nfc/nci/ntf.c
>> +++ b/net/nfc/nci/ntf.c
> 
>> @@ -380,6 +384,10 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
>>   	pr_debug("rf_tech_specific_params_len %d\n",
>>   		 ntf.rf_tech_specific_params_len);
>>   
>> +	if (skb->len < (data - skb->data) +
>> +			ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
>> +		return -EINVAL;
> 
> Are we validating ntf.rf_tech_specific_params_len against the
> extraction logic in nci_extract_rf_params_nfca_passive_poll()
> and friends?

You are right. The current patch is only validating that the received 
packet is consistent in the way that the rf_tech_specific_params_len 
number of bytes is also contained in the buffer.

There is currently no code that validates that 
nci_extract_rf_params_nfca_passive_poll and friends only access the 
given number of bytes in their logic.
And to be frank, I do not know how to implement this without either 
cluttering the code with validation logic or re-implementing half the 
parsing logic for length validation.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ