The TLV parsing loops in nfc_llcp_connect_sn() and
nfc_llcp_recv_snl() check `offset < tlv_array_len` before accessing
both tlv[0] (type) and tlv[1] (length). When exactly one byte remains
(offset == tlv_array_len - 1), the access to tlv[1] reads one byte
beyond the skb data buffer.

Fix both sites by changing the loop condition to
`offset + 1 < tlv_array_len`, ensuring at least 2 bytes are available
before reading the type and length fields.

Signed-off-by: Dudu Lu <phx0fer@gmail.com>
---
 net/nfc/llcp_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 366d7566308c..d1a75b9445e1 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -852,7 +852,7 @@ static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
 	const u8 *tlv = &skb->data[2];
 	size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
 
-	while (offset < tlv_array_len) {
+	while (offset + 1 < tlv_array_len) {
 		type = tlv[0];
 		length = tlv[1];
 
@@ -1297,7 +1297,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
 	offset = 0;
 	sdres_tlvs_len = 0;
 
-	while (offset < tlv_len) {
+	while (offset + 1 < tlv_len) {
 		type = tlv[0];
 		length = tlv[1];
 
-- 
2.39.3 (Apple Git-145)