f040e590c0
Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read packet->header from skb->data at function entry without first checking that the buffer holds at least one byte. A malicious NFC peer can send a 0-byte HCP frame that passes through the SHDLC layer and reaches these functions, causing an out-of-bounds heap read of packet->header. The same 0-byte frame, if queued as a non-final fragment, also causes the reassembly loop to underflow msg_len to UINT_MAX, triggering skb_over_panic() when the reassembled skb is written. Fix this by adding a pskb_may_pull() check at the entry of each function before packet->header is first accessed. The existing pskb_may_pull() checks before the reassembled hcp_skb is cast to struct hcp_packet remain in place to guard the 2-byte HCP message header. Fixes: |
||
|---|---|---|
| .. | ||
| hci | ||
| nci | ||
| Kconfig | ||
| Makefile | ||
| af_nfc.c | ||
| core.c | ||
| digital.h | ||
| digital_core.c | ||
| digital_dep.c | ||
| digital_technology.c | ||
| llcp.h | ||
| llcp_commands.c | ||
| llcp_core.c | ||
| llcp_sock.c | ||
| netlink.c | ||
| nfc.h | ||
| rawsock.c | ||