In the SUPERVISOR_PDU / timeout (RTOX) branch of digital_in_recv_dep_res(), the RTOX value byte is read from resp->data[0] after skb_pull() has stripped the 3-byte DEP_RES header: skb_pull(resp, size); /* size = sizeof(struct digital_dep_req_res) = 3 */ ... case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU: ... rtox = DIGITAL_NFC_DEP_RTOX_VALUE(resp->data[0]); If the remote device sends a DEP_RES frame that is exactly the minimum length (3 bytes -- dir + cmd + pfb only, no payload), the skb_pull leaves resp->len == 0 and the read of resp->data[0] is a 1-byte out-of-bounds read of kernel heap memory beyond the socket buffer. The I-PDU and ACK/NACK branches are not affected because they either pass resp directly to upper layers or perform a separate minimum-length check before accessing payload bytes. Only the RTOX branch is missing its guard. Add a resp->len >= 1 check before the RTOX value read. Fixes: 4b60cfce7aba ("NFC Digital: Implement NFC-DEP initiator TX and RX") Cc: stable@vger.kernel.org Signed-off-by: Lekë Hapçiu --- net/nfc/digital_dep.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c index XXXXXXX..XXXXXXX 100644 --- a/net/nfc/digital_dep.c +++ b/net/nfc/digital_dep.c @@ -866,6 +866,12 @@ goto error; } + if (!resp->len) { + PROTOCOL_ERR("14.8.4.1"); + rc = -EIO; + goto error; + } + rtox = DIGITAL_NFC_DEP_RTOX_VALUE(resp->data[0]); if (!rtox || rtox > DIGITAL_NFC_DEP_RTOX_MAX) { PROTOCOL_ERR("14.8.4.1"); -- 2.34.1