diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-09 17:18:14 +0200 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-04-12 11:40:45 -0700 |
| commit | 46ce8be2ced389bccd84bcc04a12cf2f4d0c22d1 (patch) | |
| tree | 04dd7dfec0fe64712cc32d92d050622fb9973278 /drivers/ide/ppc/git@git.tavy.me:linux.git | |
| parent | a6bd339dbb3514bce690fdcf252e788dfab4ee76 (diff) | |
NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3
or 4 bytes to target->nfcid1 on each round, but the number of cascade
rounds is controlled entirely by the peer device. The peer sets the
cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the
cascade-incomplete bit in the SEL_RES (deciding whether another round
follows).
ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 is
sized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driver
actually enforces this. This means a malicious peer can keep the
cascade running, writing past the heap-allocated nfc_target with each
round.
Fix this by rejecting the response when the accumulated UID would exceed
the buffer.
Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")
fixed similar missing checks against the same field on the NCI path.
Cc: Simon Horman <horms@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Thierry Escande <thierry.escande@linux.intel.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026040913-figure-seducing-bd3f@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'drivers/ide/ppc/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions