mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: clamp netjack2 sync.frames to quantum limit

Browse source 
Clamp sync.frames to quantum_limit in both sync_wait functions so all
recv paths (float, int, opus, and the fallback memset in recv_data) use
a bounded frame count. A malicious remote could send a large sync.frames
causing buffer overflows in recv_int, recv_opus, and the unfilled-buffer
memset.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 13:42:49 +02:00
parent c5083e7f32
commit 3d414960c2
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-netjack2/peer.c
View file

@ -739,6 +739,7 @@ static inline int32_t netjack2_driver_sync_wait(struct netjack2_peer *peer)
peer->sync.frames = ntohl(sync.frames);
if (peer->sync.frames == -1)
peer->sync.frames = peer->params.period_size;
peer->sync.frames = SPA_MIN(peer->sync.frames, (int32_t)peer->quantum_limit);
return peer->sync.frames;
@ -774,6 +775,7 @@ static inline int32_t netjack2_manager_sync_wait(struct netjack2_peer *peer)
peer->sync.frames = ntohl(sync.frames);
if (peer->sync.frames == -1)
peer->sync.frames = peer->params.period_size;
peer->sync.frames = SPA_MIN(peer->sync.frames, (int32_t)peer->quantum_limit);
offset = peer->cycle - peer->sync.cycle;
if (offset < (int32_t)peer->params.network_latency) {
@ -864,7 +866,7 @@ static int netjack2_recv_float(struct netjack2_peer *peer, struct nj2_packet_hea
if (active_ports == 0 || active_ports > MAX_CHANNELS)
return 0;
uint32_t nframes = SPA_MIN((uint32_t)peer->sync.frames, peer->quantum_limit);
uint32_t nframes = peer->sync.frames;
uint32_t max_size = PACKET_AVAILABLE_SIZE(peer->params.mtu);
uint32_t overhead = active_ports * sizeof(int32_t);
if (max_size <= overhead) {