security: fix missing packet length validation in VBAN audio receive

Memory Safety: High In vban_audio_receive(), the received buffer is cast to struct vban_header and its fields are accessed before validating that the packet is large enough to contain the header. If a truncated packet shorter than VBAN_HEADER_SIZE is received, this reads past the end of the buffer. Additionally, when len < hlen, the plen calculation (len - hlen) produces a negative ssize_t value which, when used in the unsigned division plen / stride, gets implicitly converted to a very large value, potentially causing further out-of-bounds reads. Fix by checking that len >= VBAN_HEADER_SIZE before accessing the header. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-27 06:46:48 -04:00 · 2026-04-23 17:56:38 +02:00 · 2026-04-23 17:56:38 +02:00 · 3709cac938
commit 3709cac938
parent 0ac8b1c5fa
1 changed files with 4 additions and 1 deletions
--- a/src/modules/module-vban/audio.c
+++ b/src/modules/module-vban/audio.c
@ -89,11 +89,14 @@ static int vban_audio_receive(struct impl *impl, uint8_t *buffer, ssize_t len)
 	uint32_t stride = impl->stride;
 	int32_t filled;

+	hlen = VBAN_HEADER_SIZE;
+	if (len < hlen)
+		return 0;
+
 	hdr = (struct vban_header*)buffer;

 	impl->receiving = true;

-	hlen = VBAN_HEADER_SIZE;
 	plen = len - hlen;
 	samples = SPA_MIN(hdr->format_nbs+1, plen / stride);