Revert "nfc/nci: Add the inconsistency check between the input data length and count"

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This reverts commit 068648aab72c9ba7b0597354ef4d81ffaac7b979.

NFC packets may have NUL-bytes. Checking for string length is not a correct
assumption here. As long as there is a check for the length copied from
copy_from_user, all should be fine.

The fix only prevented the syzbot reproducer from triggering the bug
because the packet is not enqueued anymore and the code that triggers the
bug is not exercised.

The fix even broke
testing/selftests/nci/nci_dev, making all tests there fail. After the
revert, 6 out of 8 tests pass.

Fixes: 068648aab72c ("nfc/nci: Add the inconsistency check between the input data length and count")
Cc: stable@vger.kernel.org
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Link: https://patch.msgid.link/20260113202458.449455-1-cascardo@igalia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Thadeu Lima de Souza Cascardo and committed by

Jakub Kicinski 2 months ago f40ddcc0 a92a6c50

-4

1 changed file

expand all

drivers

nfc

virtual_ncidev.c

-4

drivers/nfc/virtual_ncidev.c

··· 125 125 kfree_skb(skb); 126 126 return -EFAULT; 127 127 } 128 - if (strnlen(skb->data, count) != count) { 129 - kfree_skb(skb); 130 - return -EINVAL; 131 - } 132 128 133 129 nci_recv_frame(vdev->ndev, skb); 134 130 return count;