The function digital_in_recv_sensf_res() validates that the incoming SENSF_RES frame is at least DIGITAL_SENSF_RES_MIN_LENGTH (17) bytes, but does not check that it is at most NFC_SENSF_RES_MAXSIZE (18) bytes before copying into the 18-byte target.sensf_res stack buffer. After skb_pull(resp, 1) removes the framing byte, resp->len can range from 16 up to 253 — an NFC-F frame carries a 1-byte length field with maximum value 255, from which the driver status byte (pulled here) and the protocol length byte are subtracted. The memcpy() at line 775 then writes up to 235 bytes past the end of target.sensf_res, overflowing into adjacent stack data including saved registers and the return address. A device in NFC-F polling mode can trigger this condition without any prior pairing or authentication by responding to a SENSF_REQ with an oversized frame. No user interaction is required on the victim device while NFC discovery is active. The NCI code path handles this correctly; nci/ntf.c line 508: nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE); Apply the equivalent upper-bound check to the digital protocol path by rejecting frames whose post-strip length exceeds NFC_SENSF_RES_MAXSIZE. Fixes: 8c0695e4998d ("NFC Digital: Add NFC-F technology support") Cc: stable@vger.kernel.org Signed-off-by: Lekë Hapçiu --- net/nfc/digital_technology.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c index XXXXXXX..XXXXXXX 100644 --- a/net/nfc/digital_technology.c +++ b/net/nfc/digital_technology.c @@ -768,6 +768,11 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg, skb_pull(resp, 1); + if (resp->len > NFC_SENSF_RES_MAXSIZE) { + rc = -EIO; + goto exit; + } + memset(&target, 0, sizeof(struct nfc_target)); sensf_res = (struct digital_sensf_res *)resp->data; -- 2.34.1