From e01ca8919e6e08c383d9abbc2424cc9a6255f9dd Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 24 Apr 2026 14:09:48 +0200 Subject: [PATCH] security: fix integer underflow in AVB stream packet handling Memory Safety: Critical In handle_iec61883_packet(), the data_len field from an incoming network packet is converted via ntohs() and then unconditionally has 8 subtracted from it. If an attacker sends a malformed AVB packet with data_len < 8, the subtraction wraps the uint32_t n_bytes to a very large value (~4 billion). This corrupted size is then passed to spa_ringbuffer_write_data(), which can overwrite the ring buffer and adjacent heap memory with attacker-controlled network data. Add a bounds check to verify data_len >= 8 before the subtraction, returning early on malformed packets. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-avb/stream.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/modules/module-avb/stream.c b/src/modules/module-avb/stream.c index 26a3a795b..8ed904eb3 100644 --- a/src/modules/module-avb/stream.c +++ b/src/modules/module-avb/stream.c @@ -358,10 +358,14 @@ static void handle_iec61883_packet(struct stream *stream, struct avb_packet_iec61883 *p, int len) { uint32_t index, n_bytes; + uint16_t data_len; int32_t filled; filled = spa_ringbuffer_get_write_index(&stream->ring, &index); - n_bytes = ntohs(p->data_len) - 8; + data_len = ntohs(p->data_len); + if (data_len < 8) + return; + n_bytes = data_len - 8; if (filled + n_bytes > stream->buffer_size) { pw_log_debug("capture overrun");