nfc_llcp_recv_dm() reads skb->data[2] (the DM reason byte) without verifying that the frame is at least LLCP_HEADER_SIZE + 1 bytes long. A rogue NFC peer can send a 2-byte DM PDU (header only, no reason byte), triggering a 1-byte out-of-bounds read of kernel heap memory. The same missing guard also leaves the nfc_llcp_dsap() and nfc_llcp_ssap() macro accesses to data[0]/data[1] technically unprotected against a 0- or 1-byte frame. Add a single skb->len < LLCP_HEADER_SIZE + 1 check before any field access, consistent with the guard added to nfc_llcp_recv_snl() by commit ef8ddc69c ("nfc: llcp: fix bounds check in nfc_llcp_recv_snl()"). The DM PDU is dispatched unconditionally by nfc_llcp_rx_skb() with no prior length check, so this path is reachable from RF without any prior pairing or session establishment. Fixes: 5c0560b7a5c6 ("NFC: Handle LLCP Disconnected Mode frames") Cc: stable@vger.kernel.org Signed-off-by: Lekë Hapçiu --- net/nfc/llcp_core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c --- a/net/nfc/llcp_core.c +++ b/net/nfc/llcp_core.c @@ -1247,6 +1247,10 @@ struct nfc_llcp_sock *llcp_sock; struct sock *sk; u8 dsap, ssap, reason; + if (skb->len < LLCP_HEADER_SIZE + 1) { + pr_err("Malformed DM PDU\n"); + return; + } dsap = nfc_llcp_dsap(skb); ssap = nfc_llcp_ssap(skb); -- 2.34.1