security: fix out-of-bounds read from non-null-terminated netjack2 strings

Memory Safety: High The nj2_dump_session_params() function logs char array fields (type, name, driver_name, follower_name) from network-received nj2_session_params structs using %s format. These fields are fixed-size char arrays filled by recvfrom() and are not guaranteed to contain a null terminator. A malicious peer can send a packet with no null bytes in these fields, causing pw_log_info to read past the struct boundary, potentially crashing the process or leaking adjacent heap memory. Use %.*s format specifier with explicit maximum lengths in the dump function to bound the string reads. Also force null-terminate the string fields in nj2_session_params_ntoh() so that all downstream consumers after byte-order conversion are safe. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-27 06:46:48 -04:00 · 2026-04-24 14:10:48 +02:00 · 2026-04-24 14:10:48 +02:00 · 7a969654f6
commit 7a969654f6
parent e01ca8919e
1 changed files with 8 additions and 4 deletions
--- a/src/modules/module-netjack2/packets.h
+++ b/src/modules/module-netjack2/packets.h
@ -46,12 +46,12 @@ struct nj2_session_params {

 static inline void nj2_dump_session_params(struct nj2_session_params *params)
 {
-	pw_log_info("Type:          '%s'", params->type);
+	pw_log_info("Type:          '%.*s'", (int)sizeof(params->type), params->type);
 	pw_log_info("Version:       %u", ntohl(params->version));
 	pw_log_info("packet ID:     %d", ntohl(params->packet_id));
-	pw_log_info("Name:          '%s'", params->name);
-	pw_log_info("Driver Name:   '%s'", params->driver_name);
-	pw_log_info("Follower Name: '%s'", params->follower_name);
+	pw_log_info("Name:          '%.*s'", (int)sizeof(params->name), params->name);
+	pw_log_info("Driver Name:   '%.*s'", (int)sizeof(params->driver_name), params->driver_name);
+	pw_log_info("Follower Name: '%.*s'", (int)sizeof(params->follower_name), params->follower_name);
 	pw_log_info("MTU:           %u", ntohl(params->mtu));
 	pw_log_info("ID:            %u", ntohl(params->id));
 	pw_log_info("TransportSync: %u", ntohl(params->transport_sync));
@ -71,6 +71,10 @@ static inline void nj2_session_params_ntoh(struct nj2_session_params *host,
 		const struct nj2_session_params *net)
 {
 	memcpy(host, net, sizeof(*host));
+	host->type[sizeof(host->type) - 1] = '\0';
+	host->name[sizeof(host->name) - 1] = '\0';
+	host->driver_name[sizeof(host->driver_name) - 1] = '\0';
+	host->follower_name[sizeof(host->follower_name) - 1] = '\0';
 	host->version = ntohl(net->version);
 	host->packet_id = ntohl(net->packet_id);
 	host->mtu = ntohl(net->mtu);