Thanks. This is great. I'm so glad these are finally getting fixed. Do we need to fix nfc_hci_msg_rx_work() and nfc_hci_recv_from_llc() as well? In nfc_hci_recv_from_llc() we allow pipe to be NFC_HCI_FRAGMENT (0x7f) so that's one element beyond the end of the array and the NFC_HCI_HCP_RESPONSE isn't checked. Also nci_hci_msg_rx_work() and nci_hci_data_received_cb() use NCI_HCP_MSG_GET_PIPE() so those could be off by one. regards, dan carpenter
