mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-28 06:46:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix integer underflow in AVB stream packet handling

Browse source 
Memory Safety: Critical

In handle_iec61883_packet(), the data_len field from an incoming network
packet is converted via ntohs() and then unconditionally has 8 subtracted
from it. If an attacker sends a malformed AVB packet with data_len < 8,
the subtraction wraps the uint32_t n_bytes to a very large value
(~4 billion). This corrupted size is then passed to
spa_ringbuffer_write_data(), which can overwrite the ring buffer and
adjacent heap memory with attacker-controlled network data.

Add a bounds check to verify data_len >= 8 before the subtraction,
returning early on malformed packets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 14:09:48 +02:00
parent e3e1c4d214
commit e01ca8919e
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/modules/module-avb/stream.c
View file

@ -358,10 +358,14 @@ static void handle_iec61883_packet(struct stream *stream,
struct avb_packet_iec61883 *p, int len) struct avb_packet_iec61883 *p, int len)
{ {
uint32_t index, n_bytes; uint32_t index, n_bytes;
uint16_t data_len;
int32_t filled; int32_t filled;
filled = spa_ringbuffer_get_write_index(&stream->ring, &index); filled = spa_ringbuffer_get_write_index(&stream->ring, &index);
n_bytes = ntohs(p->data_len) - 8; data_len = ntohs(p->data_len);
if (data_len < 8)
return;
n_bytes = data_len - 8;
if (filled + n_bytes > stream->buffer_size) { if (filled + n_bytes > stream->buffer_size) {
pw_log_debug("capture overrun"); pw_log_debug("capture overrun");