Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]net: nfc: nci: Add parameter validation for packet data[EOL][EOL]Syzbot reported an uninitialized value bug in nci_init_req, which was[EOL]introduced by commit 5aca7966d2a7 ("Merge tag[EOL]'perf-tools-fixes-for-v6.17-2025-09-16' of[EOL]git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").[EOL][EOL]This bug arises due to very limited and poor input validation[EOL]that was done at nic_valid_size(). This validation only[EOL]validates the skb->len (directly reflects size provided at the[EOL]userspace interface) with the length provided in the buffer[EOL]itself (interpreted as NCI_HEADER). This leads to the processing[EOL]of memory content at the address assuming the correct layout[EOL]per what opcode requires there. This leads to the accesses to[EOL]buffer of `skb_buff->data` which is not assigned anything yet.[EOL][EOL]Following the same silent drop of packets of invalid sizes at[EOL]`nic_valid_size()`, add validation of the data in the respective[EOL]handlers and return error values in case of failure. Release[EOL]the skb if error values are returned from handlers in[EOL]`nci_nft_packet` and effectively do a silent drop[EOL][EOL]Possible TODO: because we silently drop the packets, the[EOL]call to `nci_request` will be waiting for completion of request[EOL]and will face timeouts. These timeouts can get excessively logged[EOL]in the dmesg. A proper handling of them may require to export[EOL]`nci_request_cancel` (or propagate error handling from the[EOL]nft packets handlers).