Syzbot reported an uninit-value bug at nci_init_req for commit
5aca7966d2a7

This bug arises due to very limited and poor input validation
that was done at net/nfc/nci/core.c:1543. This validation only
validates the skb->len (directly reflects size provided at the
userspace interface) with the length provided in the buffer
itself (interpreted as NCI_HEADER). This leads to the processing
of memory content at the address assuming the correct layout
per what opcode requires there. This leads to the accesses to
buffer of `skb_buff->data` which is not assigned anything yet

Following the same silent drop of packets of invalid sizes, at
net/nfc/nci/core.c:1543, I have added validation in the
`nci_nft_packet` which processes NFT packets and silently return
in case of failure of any validation check

Possible TODO: because we silently drop the packets, the
call to `nci_request` will be waiting for completion of request
and will face timeouts. These timeouts can get excessively logged
in the dmesg. A proper handling of them may require to export
`nci_request_cancel` (or propagate error handling from the
nft packets handlers)

Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
Signed-off-by: Deepak Sharma <redacted>
---
  net/nfc/nci/ntf.c | 42 ++++++++++++++++++++++++++++++++++--------
  1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index a818eff27e6b..f5e03f3ff203 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c

@@ -809,35 +809,61 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb)
  
  	switch (ntf_opcode) {
  	case NCI_OP_CORE_RESET_NTF:
-		nci_core_reset_ntf_packet(ndev, skb);
+		if (skb->len < sizeof(struct nci_core_reset_ntf))
+			goto end;
+		else
+			nci_core_reset_ntf_packet(ndev, skb);
  		break;