mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: validate packet length in AVB MAAP message handler

Browse source 
Input Validation: High

The maap_message() handler cast the incoming network data directly to
avb_packet_maap without checking that the received data was at least
sizeof(avb_packet_maap) bytes. The caller only validates the packet is
at least avb_packet_header size, which is smaller. A truncated MAAP
packet could cause out-of-bounds reads when accessing request_start,
request_count, conflict_start, and conflict_count fields in the probe
and defend handlers.

Fix by adding a minimum packet length check at the beginning of
maap_message().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-27 12:22:45 +02:00
parent c9d4854114
commit f16042d52a
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/modules/module-avb/maap.c
View file

@ -207,6 +207,9 @@ static int maap_message(struct maap *maap, uint64_t now, const void *message, in
{ {
const struct avb_packet_maap *p = message; const struct avb_packet_maap *p = message;
if (len < 0 || (size_t)len < sizeof(*p))
return 0;
if (AVB_PACKET_GET_SUBTYPE(&p->hdr) != AVB_SUBTYPE_MAAP) if (AVB_PACKET_GET_SUBTYPE(&p->hdr) != AVB_SUBTYPE_MAAP)
return 0; return 0;