mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: validate MTU bounds in NetJack2 to prevent stack overflow

Browse source 
Memory Safety: High

The NetJack2 driver and manager modules use VLA (variable-length array)
stack buffers sized by peer->params.mtu in every send and receive
function. In the driver module, this MTU value comes directly from the
remote peer via nj2_session_params_ntoh() without any upper bound
validation. A malicious remote peer could advertise an extremely large
MTU value (up to UINT32_MAX), causing multi-gigabyte VLA stack
allocations that overflow the stack.

Both modules also read net.mtu from user properties via
pw_properties_get_uint32() without capping the value, even though
MAX_MTU (9000) was already defined but never enforced.

Add MTU validation against MAX_MTU in the driver's session setup
handler, and cap the configured MTU value in both driver and manager
initialization.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 16:56:46 +02:00
parent e2c7ed2d0c
commit a7619fdfdb
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/modules/module-netjack2-driver.c
View file

@ -846,6 +846,8 @@ static int handle_follower_setup(struct impl *impl, struct nj2_session_params *p
peer->params.recv_midi_channels < 0 || peer->params.recv_midi_channels < 0 ||
peer->params.sample_rate == 0 || peer->params.sample_rate == 0 ||
peer->params.period_size == 0 || peer->params.period_size == 0 ||
peer->params.mtu == 0 ||
peer->params.mtu > MAX_MTU ||
!encoding_supported(peer->params.sample_encoder)) { !encoding_supported(peer->params.sample_encoder)) {
pw_log_warn("invalid follower setup"); pw_log_warn("invalid follower setup");
return -EINVAL; return -EINVAL;
@ -1049,7 +1051,8 @@ static int create_netjack2_socket(struct impl *impl)
goto out; goto out;
} }
impl->mtu = pw_properties_get_uint32(impl->props, "net.mtu", DEFAULT_NET_MTU); impl->mtu = SPA_MIN(pw_properties_get_uint32(impl->props, "net.mtu", DEFAULT_NET_MTU),
(uint32_t)MAX_MTU);
impl->ttl = pw_properties_get_uint32(impl->props, "net.ttl", DEFAULT_NET_TTL); impl->ttl = pw_properties_get_uint32(impl->props, "net.ttl", DEFAULT_NET_TTL);
impl->loop = pw_properties_get_bool(impl->props, "net.loop", DEFAULT_NET_LOOP); impl->loop = pw_properties_get_bool(impl->props, "net.loop", DEFAULT_NET_LOOP);
impl->dscp = pw_properties_get_uint32(impl->props, "net.dscp", DEFAULT_NET_DSCP); impl->dscp = pw_properties_get_uint32(impl->props, "net.dscp", DEFAULT_NET_DSCP);

3
src/modules/module-netjack2-manager.c
View file

@ -1201,7 +1201,8 @@ static int create_netjack2_socket(struct impl *impl)
goto out; goto out;
} }
impl->mtu = pw_properties_get_uint32(impl->props, "net.mtu", DEFAULT_NET_MTU); impl->mtu = SPA_MIN(pw_properties_get_uint32(impl->props, "net.mtu", DEFAULT_NET_MTU),
(uint32_t)MAX_MTU);
impl->ttl = pw_properties_get_uint32(impl->props, "net.ttl", DEFAULT_NET_TTL); impl->ttl = pw_properties_get_uint32(impl->props, "net.ttl", DEFAULT_NET_TTL);
impl->loop = pw_properties_get_bool(impl->props, "net.loop", DEFAULT_NET_LOOP); impl->loop = pw_properties_get_bool(impl->props, "net.loop", DEFAULT_NET_LOOP);
impl->dscp = pw_properties_get_uint32(impl->props, "net.dscp", DEFAULT_NET_DSCP); impl->dscp = pw_properties_get_uint32(impl->props, "net.dscp", DEFAULT_NET_DSCP);