Re: [PATCH net v2] nfc: digital: clamp SENSF_RES length to the destination buffer
From: Alexander Lobakin <aleksander.lobakin@intel.com>
Date: 2026-06-03 14:28:38
Also in:
lkml, oe-linux-nfc, stable
From: Doruk Tan Ozturk <redacted> Date: Wed, 3 Jun 2026 16:13:55 +0200
digital_in_recv_sensf_res() memcpy()s resp->len bytes from a remote NFC-F device response into the NFC_SENSF_RES_MAXSIZE-byte target.sensf_res field without an upper-bound check. A nearby malicious NFC-F device can send an oversized SENSF_RES response to overflow the stack-local struct nfc_target. Clamp resp->len to NFC_SENSF_RES_MAXSIZE before the copy. Found by 0sec automated security-research tooling (https://0sec.ai). Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support") Cc: stable@vger.kernel.org Signed-off-by: Doruk Tan Ozturk <redacted>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
quoted hunk ↗ jump to hunk
--- v2: - Clamp resp->len with min_t() before the copy (Alexander Lobakin). - Add Fixes: tag and Cc: stable (Alexander Lobakin). - Frame as a stack buffer overflow (saved-return overwrite not demonstrated). net/nfc/digital_technology.c | 2 ++ 1 file changed, 2 insertions(+)diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c index ae63c5eb0..ae6487c10 100644 --- a/net/nfc/digital_technology.c +++ b/net/nfc/digital_technology.c@@ -778,6 +778,8 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg, sensf_res = (struct digital_sensf_res *)resp->data; + resp->len = min_t(unsigned int, resp->len, NFC_SENSF_RES_MAXSIZE); + memcpy(target.sensf_res, sensf_res, resp->len); target.sensf_res_len = resp->len;
I was wondering whether we need to record this in the kernel log. But given that a malicious device can and would be happy to flood with such packets, it would be pr_warn_once() or something similar at max. But I guess it's not needed at all, we can just silently clamp such packets? Thanks, Olek