mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: add max packet limit to netjack2 recv_data loop

Browse source 
Input Validation: High

The netjack2_recv_data loop terminates based on the is_last flag
from received network packets. A malicious peer could continuously
send packets with is_last=0, causing the receive loop to run
indefinitely and blocking the audio processing thread. This is
a denial of service vulnerability.

Add a maximum packet count (1024) per receive cycle. This is
well above what any legitimate netjack2 session would produce
but prevents a malicious peer from stalling the processing thread.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 13:33:04 +02:00
parent 110495ed9f
commit c3c11e4c76
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/modules/module-netjack2/peer.c
View file

@ -1072,10 +1072,16 @@ static int netjack2_recv_data(struct netjack2_peer *peer,
struct data_info *audio, uint32_t n_audio) struct data_info *audio, uint32_t n_audio)
{ {
ssize_t len; ssize_t len;
uint32_t i, audio_count = 0, midi_count = 0; uint32_t i, audio_count = 0, midi_count = 0, packet_count = 0;
struct nj2_packet_header header; struct nj2_packet_header header;
#define MAX_RECV_PACKETS 1024
while (!peer->sync.is_last) { while (!peer->sync.is_last) {
if (++packet_count > MAX_RECV_PACKETS) {
pw_log_warn("too many packets in cycle (%u), aborting",
MAX_RECV_PACKETS);
break;
}
if ((len = recv(peer->fd, &header, sizeof(header), MSG_PEEK)) < 0) if ((len = recv(peer->fd, &header, sizeof(header), MSG_PEEK)) < 0)
goto receive_error; goto receive_error;