security: fix integer underflow in AVB stream packet handling

Memory Safety: Critical In handle_iec61883_packet(), the data_len field from an incoming network packet is converted via ntohs() and then unconditionally has 8 subtracted from it. If an attacker sends a malformed AVB packet with data_len < 8, the subtraction wraps the uint32_t n_bytes to a very large value (~4 billion). This corrupted size is then passed to spa_ringbuffer_write_data(), which can overwrite the ring buffer and adjacent heap memory with attacker-controlled network data. Add a bounds check to verify data_len >= 8 before the subtraction, returning early on malformed packets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-27 06:46:48 -04:00 · 2026-04-24 14:09:48 +02:00 · 2026-04-24 14:09:48 +02:00 · e01ca8919e
commit e01ca8919e
parent e3e1c4d214
1 changed files with 5 additions and 1 deletions
--- a/src/modules/module-avb/stream.c
+++ b/src/modules/module-avb/stream.c
@ -358,10 +358,14 @@ static void handle_iec61883_packet(struct stream *stream,
 		struct avb_packet_iec61883 *p, int len)
 {
 	uint32_t index, n_bytes;
+	uint16_t data_len;
 	int32_t filled;

 	filled = spa_ringbuffer_get_write_index(&stream->ring, &index);
-	n_bytes = ntohs(p->data_len) - 8;
+	data_len = ntohs(p->data_len);
+	if (data_len < 8)
+		return;
+	n_bytes = data_len - 8;

 	if (filled + n_bytes > stream->buffer_size) {
 		pw_log_debug("capture overrun");