CVE-2025-40043

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nfc: nci: Add parameter validation for packet data<br /> <br /> Syzbot reported an uninitialized value bug in nci_init_req, which was<br /> introduced by commit 5aca7966d2a7 ("Merge tag<br /> &amp;#39;perf-tools-fixes-for-v6.17-2025-09-16&amp;#39; of<br /> git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").<br /> <br /> This bug arises due to very limited and poor input validation<br /> that was done at nic_valid_size(). This validation only<br /> validates the skb-&gt;len (directly reflects size provided at the<br /> userspace interface) with the length provided in the buffer<br /> itself (interpreted as NCI_HEADER). This leads to the processing<br /> of memory content at the address assuming the correct layout<br /> per what opcode requires there. This leads to the accesses to<br /> buffer of `skb_buff-&gt;data` which is not assigned anything yet.<br /> <br /> Following the same silent drop of packets of invalid sizes at<br /> `nic_valid_size()`, add validation of the data in the respective<br /> handlers and return error values in case of failure. Release<br /> the skb if error values are returned from handlers in<br /> `nci_nft_packet` and effectively do a silent drop<br /> <br /> Possible TODO: because we silently drop the packets, the<br /> call to `nci_request` will be waiting for completion of request<br /> and will face timeouts. These timeouts can get excessively logged<br /> in the dmesg. A proper handling of them may require to export<br /> `nci_request_cancel` (or propagate error handling from the<br /> nft packets handlers).