Unverified Commit f040e590 authored by Ashutosh Desai's avatar Ashutosh Desai Committed by David Heidelberg
Browse files

nfc: hci: fix out-of-bounds read in HCP header parsing 



Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.

Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.

Fixes: 8b8d2e08 ("NFC: HCI support")
Fixes: 11f54f22 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Signed-off-by: default avatarAshutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com


Signed-off-by: default avatarDavid Heidelberg <david@ixit.cz>
parent b493ea27

net/nfc/hci/core.c

+10 −0
Original line number Diff line number Diff line
@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct nfc_hci_dev *hdev, struct sk_buff *skb) 
	struct sk_buff *frag_skb;

	int msg_len;



	if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {

		kfree_skb(skb);

		return;

	}



	packet = (struct hcp_packet *)skb->data;

	if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {

		skb_queue_tail(&hdev->rx_hcp_frags, skb);
@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct nfc_hci_dev *hdev, struct sk_buff *skb) 
	 * unblock waiting cmd context. Otherwise, enqueue to dispatch

	 * in separate context where handler can also execute command.

	 */

	if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {

		kfree_skb(hcp_skb);

		return;

	}



	packet = (struct hcp_packet *)hcp_skb->data;

	type = HCP_MSG_GET_TYPE(packet->message.header);

	if (type == NFC_HCI_HCP_RESPONSE) {

net/nfc/nci/hci.c

+10 −0
Original line number Diff line number Diff line
@@ -439,6 +439,11 @@ void nci_hci_data_received_cb(void *context, 
		return;

	}



	if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {

		kfree_skb(skb);

		return;

	}



	packet = (struct nci_hcp_packet *)skb->data;

	if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {

		skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
@@ -482,6 +487,11 @@ void nci_hci_data_received_cb(void *context, 
	 * unblock waiting cmd context. Otherwise, enqueue to dispatch

	 * in separate context where handler can also execute command.

	 */

	if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {

		kfree_skb(hcp_skb);

		return;

	}



	packet = (struct nci_hcp_packet *)hcp_skb->data;

	type = NCI_HCP_MSG_GET_TYPE(packet->message.header);

	if (type == NCI_HCI_HCP_RESPONSE) {