security: validate packet length in AVB MAAP message handler

Input Validation: High The maap_message() handler cast the incoming network data directly to avb_packet_maap without checking that the received data was at least sizeof(avb_packet_maap) bytes. The caller only validates the packet is at least avb_packet_header size, which is smaller. A truncated MAAP packet could cause out-of-bounds reads when accessing request_start, request_count, conflict_start, and conflict_count fields in the probe and defend handlers. Fix by adding a minimum packet length check at the beginning of maap_message(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-29 06:46:38 -04:00 · 2026-04-27 12:22:45 +02:00 · 2026-04-27 12:22:45 +02:00 · f16042d52a
commit f16042d52a
parent c9d4854114
1 changed files with 3 additions and 0 deletions
--- a/src/modules/module-avb/maap.c
+++ b/src/modules/module-avb/maap.c
@ -207,6 +207,9 @@ static int maap_message(struct maap *maap, uint64_t now, const void *message, in
 {
 	const struct avb_packet_maap *p = message;

+	if (len < 0 || (size_t)len < sizeof(*p))
+		return 0;
+
 	if (AVB_PACKET_GET_SUBTYPE(&p->hdr) != AVB_SUBTYPE_MAAP)
 		return 0;