digital_in_recv_sensf_res() copies the received SENSF response into struct nfc_target without bounding the copy to target.sensf_res. A full on-wire digital_sensf_res is 19 bytes long, while nfc_target stores 18 bytes, so full-length or oversized responses can overwrite adjacent stack fields before digital_target_found() sees the target. Reject payloads larger than struct digital_sensf_res and clamp the copy into target.sensf_res so valid 19-byte responses keep working while the destination buffer remains bounded. This was confirmed by injecting an oversized SENSF_RES frame via a patched nfcsim driver, producing a kernel panic with the overflow pattern visible on the stack: Kernel panic - not syncing: Kernel mode fault at addr 0x0 Stack: 4141414141414141 4141414141414141 4141414141414141 ... Found by static analysis with Coccinelle (memcpy-from-TLV pattern derived from CVE-2019-14814). Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito --- net/nfc/digital_technology.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c index 63f1b721c71d..5ef49f813f70 100644 --- a/net/nfc/digital_technology.c +++ b/net/nfc/digital_technology.c @@ -768,12 +768,18 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg, skb_pull(resp, 1); + if (resp->len > sizeof(struct digital_sensf_res)) { + rc = -EIO; + goto exit; + } + memset(&target, 0, sizeof(struct nfc_target)); sensf_res = (struct digital_sensf_res *)resp->data; - memcpy(target.sensf_res, sensf_res, resp->len); - target.sensf_res_len = resp->len; + target.sensf_res_len = min_t(unsigned int, resp->len, + sizeof(target.sensf_res)); + memcpy(target.sensf_res, sensf_res, target.sensf_res_len); memcpy(target.nfcid2, sensf_res->nfcid2, NFC_NFCID2_MAXSIZE); target.nfcid2_len = NFC_NFCID2_MAXSIZE; -- 2.53.0