security: add max packet limit to netjack2 recv_data loop

Input Validation: High The netjack2_recv_data loop terminates based on the is_last flag from received network packets. A malicious peer could continuously send packets with is_last=0, causing the receive loop to run indefinitely and blocking the audio processing thread. This is a denial of service vulnerability. Add a maximum packet count (1024) per receive cycle. This is well above what any legitimate netjack2 session would produce but prevents a malicious peer from stalling the processing thread. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-02 06:46:36 -04:00 · 2026-04-29 13:33:04 +02:00 · 2026-04-29 13:33:04 +02:00 · c3c11e4c76
commit c3c11e4c76
parent 110495ed9f
1 changed files with 7 additions and 1 deletions
--- a/src/modules/module-netjack2/peer.c
+++ b/src/modules/module-netjack2/peer.c
@ -1072,10 +1072,16 @@ static int netjack2_recv_data(struct netjack2_peer *peer,
 		struct data_info *audio, uint32_t n_audio)
 {
 	ssize_t len;
-	uint32_t i, audio_count = 0, midi_count = 0;
+	uint32_t i, audio_count = 0, midi_count = 0, packet_count = 0;
 	struct nj2_packet_header header;
+#define MAX_RECV_PACKETS 1024

 	while (!peer->sync.is_last) {
+		if (++packet_count > MAX_RECV_PACKETS) {
+			pw_log_warn("too many packets in cycle (%u), aborting",
+					MAX_RECV_PACKETS);
+			break;
+		}
 		if ((len = recv(peer->fd, &header, sizeof(header), MSG_PEEK)) < 0)
 			goto receive_error;