mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: validate packet length in AVB ACMP message handler

Browse source 
Input Validation: High

The acmp_message() handler accessed fields of avb_ethernet_header and
avb_packet_acmp from network packet data without first checking that
the received packet was large enough to contain these structures.
A short packet could cause out-of-bounds reads when accessing packet
header fields.

The VLA-based reply buffers in reply_not_supported(),
handle_connect_tx_command(), and handle_disconnect_tx_command() also
lacked an upper bound on the packet length, allowing a packet claiming
a very large size to cause excessive stack allocation.

Fix by adding minimum length (sizeof(header) + sizeof(acmp)) and
maximum length (MTU) validation at the entry point before any field
access or buffer allocation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 12:21:13 +02:00
parent 0d41a7b82f
commit 11226544f7
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/modules/module-avb/acmp.c
View file

@ -8,6 +8,7 @@
#include <pipewire/pipewire.h> #include <pipewire/pipewire.h>
#include "acmp.h" #include "acmp.h"
#include "aecp-aem.h"
#include "msrp.h" #include "msrp.h"
#include "internal.h" #include "internal.h"
#include "stream.h" #include "stream.h"
@ -393,6 +394,11 @@ static int acmp_message(void *data, uint64_t now, const void *message, int len)
const struct msg_info *info; const struct msg_info *info;
int message_type; int message_type;
if (len < 0 ||
(size_t)len < sizeof(*h) + sizeof(*p) ||
(size_t)len > AVB_PACKET_MILAN_DEFAULT_MTU)
return 0;
if (ntohs(h->type) != AVB_TSN_ETH) if (ntohs(h->type) != AVB_TSN_ETH)
return 0; return 0;
if (memcmp(h->dest, mac, 6) != 0 && if (memcmp(h->dest, mac, 6) != 0 &&