nfc_llcp_recv_dm() reads skb->data[2] (the DM reason byte) without first verifying that skb->len is at least LLCP_HEADER_SIZE + 1. A DM PDU carrying only the 2-byte LLCP header from a rogue peer therefore triggers a 1-byte OOB read. Add the minimum-length guard at function entry, matching the pattern used by nfc_llcp_recv_snl() and nfc_llcp_recv_agf(). Fixes: 5c0560b7a5c6 ("NFC: Handle LLCP Disconnected Mode frames") Cc: stable@vger.kernel.org Signed-off-by: Lekë Hapçiu --- net/nfc/llcp_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c index aed5fe1afef0..edec2fd83f79 100644 --- a/net/nfc/llcp_core.c +++ b/net/nfc/llcp_core.c @@ -1250,6 +1250,11 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sock *sk; u8 dsap, ssap, reason; + if (skb->len < LLCP_HEADER_SIZE + 1) { + pr_err("Malformed DM PDU\n"); + return; + } + dsap = nfc_llcp_dsap(skb); ssap = nfc_llcp_ssap(skb); reason = skb->data[2]; -- 2.51.0