mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: validate packet length in AVB ADP message handler

Browse source 
Input Validation: High

The adp_message() handler accessed avb_ethernet_header and
avb_packet_adp fields from network packet data without checking that
the packet was large enough to contain these structures. A truncated
ADP packet could cause out-of-bounds reads when accessing entity_id,
message_type, and other header fields.

Fix by adding a minimum packet length check before any field access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 12:22:29 +02:00
parent 11226544f7
commit c9d4854114
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/modules/module-avb/adp.c
View file

@ -96,6 +96,9 @@ static int adp_message(void *data, uint64_t now, const void *message, int len)
char buf[128]; char buf[128];
uint64_t entity_id; uint64_t entity_id;
if (len < 0 || (size_t)len < sizeof(*h) + sizeof(*p))
return 0;
if (ntohs(h->type) != AVB_TSN_ETH) if (ntohs(h->type) != AVB_TSN_ETH)
return 0; return 0;
if (memcmp(h->dest, mac, 6) != 0 && if (memcmp(h->dest, mac, 6) != 0 &&