Am 04.01.26 um 19:13 schrieb Jakub Kicinski:
On Tue, 23 Dec 2025 08:25:52 +0100 Michael Thalmeier wrote:
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index 418b84e2b260..a5cafcd10cc3 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c
@@ -380,6 +384,10 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, pr_debug("rf_tech_specific_params_len %d\n", ntf.rf_tech_specific_params_len);
- if (skb->len < (data - skb->data) +
ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))return -EINVAL;Are we validating ntf.rf_tech_specific_params_len against the extraction logic in nci_extract_rf_params_nfca_passive_poll() and friends?
You are right. The current patch is only validating that the received packet is consistent in the way that the rf_tech_specific_params_len number of bytes is also contained in the buffer.
There is currently no code that validates that nci_extract_rf_params_nfca_passive_poll and friends only access the given number of bytes in their logic. And to be frank, I do not know how to implement this without either cluttering the code with validation logic or re-implementing half the parsing logic for length validation.