From 3d414960c2a3725dc71d7bb143e0d0c0589407d6 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 13:42:49 +0200 Subject: [PATCH] security: clamp netjack2 sync.frames to quantum limit Clamp sync.frames to quantum_limit in both sync_wait functions so all recv paths (float, int, opus, and the fallback memset in recv_data) use a bounded frame count. A malicious remote could send a large sync.frames causing buffer overflows in recv_int, recv_opus, and the unfilled-buffer memset. Co-Authored-By: Claude Opus 4.7 --- src/modules/module-netjack2/peer.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/modules/module-netjack2/peer.c b/src/modules/module-netjack2/peer.c index f7a4f2b9b..15b9ae176 100644 --- a/src/modules/module-netjack2/peer.c +++ b/src/modules/module-netjack2/peer.c @@ -739,6 +739,7 @@ static inline int32_t netjack2_driver_sync_wait(struct netjack2_peer *peer) peer->sync.frames = ntohl(sync.frames); if (peer->sync.frames == -1) peer->sync.frames = peer->params.period_size; + peer->sync.frames = SPA_MIN(peer->sync.frames, (int32_t)peer->quantum_limit); return peer->sync.frames; @@ -774,6 +775,7 @@ static inline int32_t netjack2_manager_sync_wait(struct netjack2_peer *peer) peer->sync.frames = ntohl(sync.frames); if (peer->sync.frames == -1) peer->sync.frames = peer->params.period_size; + peer->sync.frames = SPA_MIN(peer->sync.frames, (int32_t)peer->quantum_limit); offset = peer->cycle - peer->sync.cycle; if (offset < (int32_t)peer->params.network_latency) { @@ -864,7 +866,7 @@ static int netjack2_recv_float(struct netjack2_peer *peer, struct nj2_packet_hea if (active_ports == 0 || active_ports > MAX_CHANNELS) return 0; - uint32_t nframes = SPA_MIN((uint32_t)peer->sync.frames, peer->quantum_limit); + uint32_t nframes = peer->sync.frames; uint32_t max_size = PACKET_AVAILABLE_SIZE(peer->params.mtu); uint32_t overhead = active_ports * sizeof(int32_t); if (max_size <= overhead) {