mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-09 23:50:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

avb: fix stack overflow in MRP parsing

Browse source 
AVB_MRP_VECTOR_GET_NUM_VALUES can be 13 bits and is stored in a
unit16_t. event_len and param_len are however calculated from this and
then truncated to 8 bits (uint8_t) which causes the bounds check to
silently pass and cause an OOB read.

Change the type to uint16_t to avoid overflows.
This commit is contained in:
Wim Taymans 2026-05-08 18:13:12 +02:00
parent 6c0a9b31f6
commit 08d4e319cf
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-avb/mrp.c
View file

@ -173,8 +173,8 @@ int avb_mrp_parse_packet(struct avb_mrp *mrp, uint64_t now, const void *pkt, int
const struct avb_packet_mrp_vector *v =
(const struct avb_packet_mrp_vector*)m;
uint16_t i, num_values = AVB_MRP_VECTOR_GET_NUM_VALUES(v);
uint8_t event_len = (num_values+2)/3;
uint8_t param_len = has_param ? (num_values+3)/4 : 0;
uint16_t event_len = (num_values+2)/3;
uint16_t param_len = has_param ? (num_values+3)/4 : 0;
int plen = sizeof(*v) + attr_len + event_len + param_len;
const uint8_t *first = v->first_value;
uint8_t event[3], param[4] = { 0, };