mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-05 06:46:28 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

avb: check packet sizes

Browse source 
Clamp packet len to the buffer size.

Reject packets with invalid data_len.
This commit is contained in:
Wim Taymans 2026-05-04 09:53:33 +02:00
parent 47deb75247
commit 172f969650
3 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-avb/acmp-cmds-resps/acmp-milan-v12.c
View file

@ -154,8 +154,8 @@ static struct acmp_lt_timers *acmp_lt_add_timer_milan_v12(struct acmp_milan_v12
if (tmr == NULL) if (tmr == NULL)
return NULL; return NULL;
if (m) { if (m) {
memcpy(tmr->saved_packet, m, len); tmr->saved_packet_len = SPA_MIN(len, sizeof(tmr->saved_packet));
tmr->saved_packet_len = len; memcpy(tmr->saved_packet, m, tmr->saved_packet_len);
} }
tmr->timeout = timeout; tmr->timeout = timeout;

7
src/modules/module-avb/adp.c
View file

@ -153,8 +153,8 @@ static int adp_message(void *data, uint64_t now, const void *message, int len)
if (e == NULL) if (e == NULL)
return -errno; return -errno;
memcpy(e->buf, message, len); e->len = SPA_MIN((size_t)len, sizeof(e->buf));
e->len = len; memcpy(e->buf, message, e->len);
e->valid_time = AVB_PACKET_ADP_GET_VALID_TIME(p); e->valid_time = AVB_PACKET_ADP_GET_VALID_TIME(p);
e->entity_id = entity_id; e->entity_id = entity_id;
spa_list_append(&adp->entities, &e->link); spa_list_append(&adp->entities, &e->link);
@ -199,7 +199,8 @@ static int adp_message(void *data, uint64_t now, const void *message, int len)
} }
} }
memcpy(e->buf, message, len); e->len = SPA_MIN((size_t)len, sizeof(e->buf));
memcpy(e->buf, message, e->len);
} }
} }
e->last_time = now; e->last_time = now;

2
src/modules/module-avb/stream.c
View file

@ -760,6 +760,8 @@ static void handle_aaf_packet(struct stream *stream,
filled = spa_ringbuffer_get_write_index(&stream->ring, &index); filled = spa_ringbuffer_get_write_index(&stream->ring, &index);
n_bytes = ntohs(p->data_len); n_bytes = ntohs(p->data_len);
if (n_bytes > (uint32_t)(len - (int)sizeof(*p)))
return;
/* IEEE 1722.1 Section 7.4.42 / Milan Section 5.4.5.3: FRAMES_RX counts every valid /* IEEE 1722.1 Section 7.4.42 / Milan Section 5.4.5.3: FRAMES_RX counts every valid
* AVTPDU received on the wire independent of whether the listener * AVTPDU received on the wire independent of whether the listener