From 46eefd16ee863f0ad9053696743447f3ae2078f3 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 11:23:44 +0200 Subject: [PATCH] security: fix out-of-bounds read in AVB AECP AEM command handler Memory Safety: High The cmd_names[] array was indexed with a network-provided command type value before the bounds check, allowing an out-of-bounds read when processing crafted AVB network packets. Moved the bounds validation before the array access to prevent reading past the end of the array. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-avb/aecp-aem.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/modules/module-avb/aecp-aem.c b/src/modules/module-avb/aecp-aem.c index 33b4a2dbf..b1010eb65 100644 --- a/src/modules/module-avb/aecp-aem.c +++ b/src/modules/module-avb/aecp-aem.c @@ -427,15 +427,17 @@ int avb_aecp_aem_handle_command(struct aecp *aecp, const void *m, int len) cmd_type = AVB_PACKET_AEM_GET_COMMAND_TYPE(p); - pw_log_info("mode: %s aem command %s", - get_avb_mode_str(server->avb_mode), cmd_names[cmd_type]); - if (cmd_info_modes[server->avb_mode].count <= cmd_type) { - pw_log_warn("Too many %d vs exp. %zu\n", cmd_type, + pw_log_warn("unknown aem command %d (max %zu)\n", cmd_type, cmd_info_modes[server->avb_mode].count); return reply_not_implemented(aecp, m, len); } + pw_log_info("mode: %s aem command %s", + get_avb_mode_str(server->avb_mode), + cmd_type < SPA_N_ELEMENTS(cmd_names) && cmd_names[cmd_type] + ? cmd_names[cmd_type] : "unknown"); + info = &cmd_info_modes[server->avb_mode].cmd_info[cmd_type]; if (!info || !info->handle_command ) return reply_not_implemented(aecp, m, len); @@ -453,8 +455,7 @@ int avb_aecp_aem_handle_command(struct aecp *aecp, const void *m, int len) * commands are always allowed regardless of lock state. */ if (!info->is_readonly && check_locked(aecp, now, p)) { - pw_log_info("aem command %s rejected: entity locked", - cmd_names[cmd_type]); + pw_log_info("aem command %d rejected: entity locked", cmd_type); return reply_entity_locked(aecp, m, len); }