From 8ed6fe5edf548703b2defba673b718f4f8645971 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 12:13:55 +0200 Subject: [PATCH] security: fix infinite loop via MSG_PEEK on mismatched NetJack2 packets Memory Safety: High When netjack2_recv_data() receives a packet that doesn't match the expected data_stream or id, it logs "not our packet" and continues the loop. However, since the previous recv() used MSG_PEEK, the packet is not consumed from the socket buffer. This causes the loop to spin indefinitely on the same mismatched packet, consuming 100% CPU. A remote attacker on the same network can trigger this by sending a single crafted NetJack2 packet with a mismatched stream or id field, causing a denial of service on the audio processing thread. Fix by consuming (discarding) the mismatched packet with a non-peeking recv() before continuing the loop. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-netjack2/peer.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/modules/module-netjack2/peer.c b/src/modules/module-netjack2/peer.c index 55a7b7a28..d1bf8a10c 100644 --- a/src/modules/module-netjack2/peer.c +++ b/src/modules/module-netjack2/peer.c @@ -1040,7 +1040,9 @@ static int netjack2_recv_data(struct netjack2_peer *peer, if (ntohl(header.data_stream) != peer->other_stream || ntohl(header.id) != peer->params.id) { - pw_log_debug("not our packet"); + uint8_t discard[peer->params.mtu]; + pw_log_debug("not our packet, discarding"); + recv(peer->fd, discard, sizeof(discard), 0); continue; }