From c3c11e4c761365faf9a51c416e2bedb16a650879 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 13:33:04 +0200 Subject: [PATCH] security: add max packet limit to netjack2 recv_data loop Input Validation: High The netjack2_recv_data loop terminates based on the is_last flag from received network packets. A malicious peer could continuously send packets with is_last=0, causing the receive loop to run indefinitely and blocking the audio processing thread. This is a denial of service vulnerability. Add a maximum packet count (1024) per receive cycle. This is well above what any legitimate netjack2 session would produce but prevents a malicious peer from stalling the processing thread. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-netjack2/peer.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/modules/module-netjack2/peer.c b/src/modules/module-netjack2/peer.c index 15b9ae176..01086c2e8 100644 --- a/src/modules/module-netjack2/peer.c +++ b/src/modules/module-netjack2/peer.c @@ -1072,10 +1072,16 @@ static int netjack2_recv_data(struct netjack2_peer *peer, struct data_info *audio, uint32_t n_audio) { ssize_t len; - uint32_t i, audio_count = 0, midi_count = 0; + uint32_t i, audio_count = 0, midi_count = 0, packet_count = 0; struct nj2_packet_header header; +#define MAX_RECV_PACKETS 1024 while (!peer->sync.is_last) { + if (++packet_count > MAX_RECV_PACKETS) { + pw_log_warn("too many packets in cycle (%u), aborting", + MAX_RECV_PACKETS); + break; + } if ((len = recv(peer->fd, &header, sizeof(header), MSG_PEEK)) < 0) goto receive_error;