mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-27 06:46:48 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix integer overflow in netjack2 socket buffer size calculation

Browse source 
Memory Safety: Medium

In both module-netjack2-driver.c and module-netjack2-manager.c, the
socket buffer size is computed as:
  NETWORK_MAX_LATENCY * (mtu + period_size * sizeof(float) * n_ports)

This arithmetic is performed in int (signed 32-bit) but the
intermediate values can exceed INT_MAX with large but valid network
parameters. Signed integer overflow is undefined behavior in C,
and the resulting negative value passed to setsockopt would set an
incorrect socket buffer size.

Fix by widening the intermediate computation to size_t and clamping
the result to INT_MAX before storing in the int variable.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-23 18:04:17 +02:00
parent 835ba5efd6
commit 56c5eaf317
2 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/modules/module-netjack2-driver.c
View file

@ -923,9 +923,9 @@ static int handle_follower_setup(struct impl *impl, struct nj2_session_params *p
peer->quantum_limit = impl->quantum_limit; peer->quantum_limit = impl->quantum_limit;
netjack2_init(peer); netjack2_init(peer);
int bufsize = NETWORK_MAX_LATENCY * (peer->params.mtu + int bufsize = SPA_MIN((size_t)NETWORK_MAX_LATENCY * (peer->params.mtu +
peer->params.period_size * sizeof(float) * (size_t)peer->params.period_size * sizeof(float) *
SPA_MAX(impl->source.n_ports, impl->sink.n_ports)); SPA_MAX(impl->source.n_ports, impl->sink.n_ports)), (size_t)INT_MAX);
pw_log_info("send/recv buffer %d", bufsize); pw_log_info("send/recv buffer %d", bufsize);
if (setsockopt(impl->socket->fd, SOL_SOCKET, SO_SNDBUF, &bufsize, sizeof(bufsize)) < 0) if (setsockopt(impl->socket->fd, SOL_SOCKET, SO_SNDBUF, &bufsize, sizeof(bufsize)) < 0)

6
src/modules/module-netjack2-manager.c
View file

@ -1106,9 +1106,9 @@ static int handle_follower_available(struct impl *impl, struct nj2_session_param
peer->quantum_limit = impl->quantum_limit; peer->quantum_limit = impl->quantum_limit;
netjack2_init(peer); netjack2_init(peer);
int bufsize = NETWORK_MAX_LATENCY * (peer->params.mtu + int bufsize = SPA_MIN((size_t)NETWORK_MAX_LATENCY * (peer->params.mtu +
follower->period_size * sizeof(float) * (size_t)follower->period_size * sizeof(float) *
SPA_MAX(follower->source.n_ports, follower->sink.n_ports)); SPA_MAX(follower->source.n_ports, follower->sink.n_ports)), (size_t)INT_MAX);
pw_log_info("send/recv buffer %d", bufsize); pw_log_info("send/recv buffer %d", bufsize);
if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &bufsize, sizeof(bufsize)) < 0) if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &bufsize, sizeof(bufsize)) < 0)