From f16042d52a8a6d09076645a86a11d666906a37bb Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 12:22:45 +0200 Subject: [PATCH] security: validate packet length in AVB MAAP message handler Input Validation: High The maap_message() handler cast the incoming network data directly to avb_packet_maap without checking that the received data was at least sizeof(avb_packet_maap) bytes. The caller only validates the packet is at least avb_packet_header size, which is smaller. A truncated MAAP packet could cause out-of-bounds reads when accessing request_start, request_count, conflict_start, and conflict_count fields in the probe and defend handlers. Fix by adding a minimum packet length check at the beginning of maap_message(). Co-Authored-By: Claude Opus 4.6 --- src/modules/module-avb/maap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/modules/module-avb/maap.c b/src/modules/module-avb/maap.c index 2ba40cd33..866d234c9 100644 --- a/src/modules/module-avb/maap.c +++ b/src/modules/module-avb/maap.c @@ -207,6 +207,9 @@ static int maap_message(struct maap *maap, uint64_t now, const void *message, in { const struct avb_packet_maap *p = message; + if (len < 0 || (size_t)len < sizeof(*p)) + return 0; + if (AVB_PACKET_GET_SUBTYPE(&p->hdr) != AVB_SUBTYPE_MAAP) return 0;