nfc_llcp_rx_skb() reads the two-byte LLCP header (DSAP/SSAP/PTYPE) and dispatches by PDU type; several handlers then derive a TLV-array length as skb->len - LLCP_HEADER_SIZE. Neither nfc_llcp_rx_skb() nor its callers guarantee the frame is at least LLCP_HEADER_SIZE bytes, and a sub-header PDU does reach it: digital_in_recv_dep_res() and digital_tg_recv_dep_req() strip the DEP header with skb_pull() after only checking the DEP header size, so a DEP I-PDU carrying a 0- or 1-byte LLCP payload is handed up as a sub-2-byte skb. For a CONNECT or CC PDU, nfc_llcp_recv_connect() and nfc_llcp_recv_cc() then pass skb->len - LLCP_HEADER_SIZE to nfc_llcp_parse_connection_tlv(). For skb->len < 2 that subtraction underflows: truncated into the u16 tlv_array_len parameter it becomes ~0xFFFE, and for a CONNECT to the SDP SAP, nfc_llcp_connect_sn() uses a size_t and underflows to SIZE_MAX. The TLV parsers bound their walk relative to that length, so they read far past the end of the skb. The aggregated-frame path (nfc_llcp_recv_agf()) already drops sub-PDUs shorter than the header. Apply the same guard once, in the dispatcher, so every PDU type is covered. Found by 0sec (https://0sec.ai) using automated source analysis; the missing guard is evident from source. Compile-tested. Fixes: d646960f7986 ("NFC: Initial LLCP support") Cc: stable@vger.kernel.org Assisted-by: 0sec:claude-opus-4-8 Signed-off-by: Doruk Tan Ozturk --- net/nfc/llcp_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c index aed5fe1afef0..e3b3077e0e83 100644 --- a/net/nfc/llcp_core.c +++ b/net/nfc/llcp_core.c @@ -1481,6 +1481,9 @@ static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb) { u8 dsap, ssap, ptype; + if (skb->len < LLCP_HEADER_SIZE) + return; + ptype = nfc_llcp_ptype(skb); dsap = nfc_llcp_dsap(skb); ssap = nfc_llcp_ssap(skb); -- 2.43.0