From 931505a0e4e5add5e0647ab822773ec33de90f1a Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 12:24:04 +0200 Subject: [PATCH] security: validate packet length in AVB IEC 61883 stream handler Input Validation: High The on_socket_data() handler only checked that the received packet was at least avb_packet_header size before casting to avb_packet_iec61883, which is larger. A packet between these two sizes would cause out-of-bounds reads when accessing iec61883 fields like data_len. Additionally, handle_iec61883_packet() used the data_len field from the packet to determine how many bytes to copy into the ring buffer without checking that the claimed data_len didn't exceed the actual received data. A crafted packet with an inflated data_len could cause an out-of-bounds read from the receive buffer. Fix by requiring the minimum packet size to cover both the ethernet header and the iec61883 header, and by validating that the claimed payload size doesn't exceed the received data length. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-avb/stream.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/modules/module-avb/stream.c b/src/modules/module-avb/stream.c index 8ed904eb3..ddc5ab635 100644 --- a/src/modules/module-avb/stream.c +++ b/src/modules/module-avb/stream.c @@ -366,6 +366,8 @@ static void handle_iec61883_packet(struct stream *stream, if (data_len < 8) return; n_bytes = data_len - 8; + if (n_bytes > (uint32_t)(len - (int)sizeof(*p))) + return; if (filled + n_bytes > stream->buffer_size) { pw_log_debug("capture overrun"); @@ -393,9 +395,11 @@ static void on_socket_data(void *data, int fd, uint32_t mask) if (len < 0) { pw_log_warn("got recv error: %m"); } - else if (len < (int)sizeof(struct avb_packet_header)) { + else if (len < (int)(sizeof(struct avb_ethernet_header) + + sizeof(struct avb_packet_iec61883))) { pw_log_warn("short packet received (%d < %d)", len, - (int)sizeof(struct avb_packet_header)); + (int)(sizeof(struct avb_ethernet_header) + + sizeof(struct avb_packet_iec61883))); } else { struct avb_ethernet_header *h = (void*)buffer; struct avb_packet_iec61883 *p = SPA_PTROFF(h, sizeof(*h), void);