From a9f1ad414ecf994eaa665b0f27f57f6b912788af Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 24 Apr 2026 16:09:08 +0200 Subject: [PATCH] security: fix integer truncation in peer_name alloca size Memory Safety: Medium The strlen() return value (size_t) is stored in an int before being passed to alloca(). If a malicious client sets an extremely long PW_KEY_NODE_NAME property, the addition could overflow the int, resulting in a small or negative alloca size and a subsequent buffer overflow in snprintf(). Change the type to size_t and add a bounds check to prevent excessively large stack allocations. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-protocol-pulse/pulse-server.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c index 95fb2b7aa..9cc16353d 100644 --- a/src/modules/module-protocol-pulse/pulse-server.c +++ b/src/modules/module-protocol-pulse/pulse-server.c @@ -863,10 +863,12 @@ static void manager_added(void *data, struct pw_manager_object *o) peer_name = "unknown"; if (peer_name && s->direction == PW_DIRECTION_INPUT && pw_manager_object_is_monitor(peer)) { - int len = strlen(peer_name) + 10; - char *tmp = alloca(len); - snprintf(tmp, len, "%s.monitor", peer_name); - peer_name = tmp; + size_t len = strlen(peer_name) + 10; + if (len <= 1024) { + char *tmp = alloca(len); + snprintf(tmp, len, "%s.monitor", peer_name); + peer_name = tmp; + } } if (peer_name != NULL) stream_send_moved(s, peer->index, peer_name);