github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-13 00:28:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
593dfd40a9
linux/net/nfc
History
Greg Kroah-Hartman 46ce8be2ce NFC: digital: Bounds check NFC-A cascade depth in SDD response handler 
The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device.  The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).

ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this.  This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.

Fix this by rejecting the response when the accumulated UID would exceed
the buffer.

Commit e329e71013 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.

Cc: Simon Horman <horms@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Thierry Escande <thierry.escande@linux.intel.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Fixes: 2c66daecc4 ("NFC Digital: Add NFC-A technology support")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-12 11:40:45 -07:00
..
hci Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nci nfc: nci: fix circular locking dependency in nci_close_device 2026-03-19 16:56:18 -07:00
af_nfc.c nfc: fix error handling of nfc_proto_register() 2021-10-13 17:32:38 -07:00
core.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
digital_core.c nfc: digital: free skb on digital_in_send error paths 2026-03-04 18:16:10 -08:00
digital_dep.c net:nfc:digital: Fix a double free in digital_tg_recv_dep_req 2021-04-27 15:36:10 -07:00
digital_technology.c NFC: digital: Bounds check NFC-A cascade depth in SDD response handler 2026-04-12 11:40:45 -07:00
digital.h
Kconfig
llcp_commands.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
llcp_core.c nfc: llcp: add missing return after LLCP_CLOSED checks 2026-04-12 11:12:44 -07:00
llcp_sock.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
llcp.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-06-26 10:57:23 +01:00
Makefile
netlink.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfc.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-06-26 10:57:23 +01:00
rawsock.c nfc: rawsock: cancel tx_work before socket teardown 2026-03-04 18:18:57 -08:00