`digital_in_recv_sensf_res()` only checks `resp->len` against the minimum frame size before copying the response into `target.sensf_res`. The destination is `NFC_SENSF_RES_MAXSIZE` bytes long, so an oversized SENSF response can overwrite adjacent fields in the stack-local `struct nfc_target` before the result is handed to `digital_target_found()`. Reject frames larger than the destination buffer before copying. Signed-off-by: Pengpeng Hou --- net/nfc/digital_technology.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/nfc/digital_technology.c b/net/nfc/digital_technology.c index 63f1b721c71d..8147e61c224a 100644 --- a/net/nfc/digital_technology.c +++ b/net/nfc/digital_technology.c @@ -768,6 +768,11 @@ static void digital_in_recv_sensf_res(struct nfc_digital_dev *ddev, void *arg, skb_pull(resp, 1); + if (resp->len > NFC_SENSF_RES_MAXSIZE) { + rc = -EIO; + goto exit; + } + memset(&target, 0, sizeof(struct nfc_target)); sensf_res = (struct digital_sensf_res *)resp->data; -- 2.50.1 (Apple Git-155)