File and Resource Handling: Medium
The socket initialization code uses stat() followed by unlink() to clean
up stale socket files. This creates two issues:
1. stat() follows symlinks, so an attacker who places a symlink at the
socket path can trick the daemon into unlinking an arbitrary file.
2. The gap between stat() and unlink() creates a TOCTOU race window
where the file could be replaced between the check and the removal.
Fix by using lstat() to detect symlinks without following them, refusing
to proceed if the path is a symlink, and only unlinking files that are
actually sockets (S_ISSOCK). This narrows the race window and prevents
symlink-based file deletion attacks.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In get_midi_size(), the overflow check for SysEx and meta-event message
sizes has the comparison operator inverted. The check
(unsigned int)(INT_MAX - size - 1) > value
rejects small (safe) payload sizes and accepts large sizes that cause
signed integer overflow in the subsequent size += (int)value + 1.
This means all SysEx messages (0xF0, 0xF7) and system reset/meta events
(0xFF) with valid payloads are incorrectly rejected, while crafted
packets with very large variable-length values bypass the check. Although
the caller has a secondary bounds check that mitigates most exploitation,
the inverted check is both a functional bug (breaks SysEx over RTP) and
a defense-in-depth failure.
Fix by swapping the operands so that the check correctly rejects values
that would overflow: value > (unsigned int)(INT_MAX - size - 1).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
The nj2_dump_session_params() function logs char array fields (type,
name, driver_name, follower_name) from network-received
nj2_session_params structs using %s format. These fields are fixed-size
char arrays filled by recvfrom() and are not guaranteed to contain a null
terminator. A malicious peer can send a packet with no null bytes in
these fields, causing pw_log_info to read past the struct boundary,
potentially crashing the process or leaking adjacent heap memory.
Use %.*s format specifier with explicit maximum lengths in the dump
function to bound the string reads. Also force null-terminate the
string fields in nj2_session_params_ntoh() so that all downstream
consumers after byte-order conversion are safe.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Critical
In handle_iec61883_packet(), the data_len field from an incoming network
packet is converted via ntohs() and then unconditionally has 8 subtracted
from it. If an attacker sends a malformed AVB packet with data_len < 8,
the subtraction wraps the uint32_t n_bytes to a very large value
(~4 billion). This corrupted size is then passed to
spa_ringbuffer_write_data(), which can overwrite the ring buffer and
adjacent heap memory with attacker-controlled network data.
Add a bounds check to verify data_len >= 8 before the subtraction,
returning early on malformed packets.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
Several Bluetooth audio codec implementations calculate codesize by
multiplying samples * channels * sizeof(sample_type) without overflow
checks. The parameters come from Bluetooth codec negotiation, which is
influenced by the remote peer. If the multiplication overflows, codesize
wraps to a small value, causing subsequent buffer size checks to pass
while the actual data processing operates on the full (larger) sample
count, leading to heap buffer overflows.
Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP).
Add overflow checks before each codesize multiplication to ensure the
result fits in the target integer type, returning -EINVAL on overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
Several functions in the PulseAudio protocol implementation use alloca()
to allocate arrays of port_info, profile_info, or dict_item structs
based on counts derived from card parameters or client property lists.
These counts have no upper bounds, so a card object with a very large
number of parameters or a client sending many properties can cause
alloca() to exhaust the stack, resulting in a stack overflow crash.
Add a MAX_ALLOCA_SIZE (64KB) limit and check element counts before each
alloca() call. If the requested allocation exceeds the limit, the
function returns -ENOMEM instead of crashing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In descriptor_load(), the initial calloc for the descriptor struct, the
strdup for the label, and four calloc calls for port arrays (input,
output, control, notify) all lacked NULL checks. If any allocation fails
under memory pressure, the code proceeds to dereference NULL pointers
when populating the port arrays, causing a crash.
Add NULL checks after all allocation calls, using the existing
descriptor_unref cleanup path which already handles freeing partially
initialized descriptors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
File and Resource Handling: High
The pipe-tunnel module creates FIFOs and then adjusts their
permissions using chmod() on the path. Between mkfifo() and
chmod(), an attacker with write access to the directory (e.g.,
/tmp with the default hardcoded paths) can delete the FIFO and
replace it with a symlink to a target file. The chmod(0666) then
changes permissions on the symlink target, allowing the attacker
to make arbitrary files world-readable/writable.
Fix by:
1. Adding O_NOFOLLOW to the open() call so symlinks are rejected
at open time rather than followed.
2. Moving the permission change from chmod() (path-based, follows
symlinks) to fchmod() (fd-based, operates on the already-opened
and validated file descriptor), and doing it after the fstat
S_ISFIFO check confirms we opened an actual FIFO.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In both module-netjack2-driver.c and module-netjack2-manager.c, the
socket buffer size is computed as:
NETWORK_MAX_LATENCY * (mtu + period_size * sizeof(float) * n_ports)
This arithmetic is performed in int (signed 32-bit) but the
intermediate values can exceed INT_MAX with large but valid network
parameters. Signed integer overflow is undefined behavior in C,
and the resulting negative value passed to setsockopt would set an
incorrect socket buffer size.
Fix by widening the intermediate computation to size_t and clamping
the result to INT_MAX before storing in the int variable.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In update_delay(), the delay compensation size is computed as
delay * sizeof(float) where delay is int64_t but size is uint32_t.
When the delay value is very large, the multiplication result
truncates to a small uint32_t value. This causes an undersized
buffer allocation in resize_delay(), while compensate_samples
retains the original large value. Subsequent use of
compensate_samples could then write past the end of the buffer.
A negative delay (possible if delay_samples overflows) would also
produce a large unsigned size due to implicit conversion.
Fix by clamping the delay to be non-negative and within the maximum
delay buffer size before the multiplication, ensuring the size
cannot truncate or wrap.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In recalculate_buffer(), the buffer size computation
(delay + (1u<<15)) * 4 can overflow uint32_t when delay is large.
Additionally, the subsequent multiplication buffer_size * channels
for the realloc size can also overflow uint32_t, wrapping to a
small value and causing an undersized allocation. Later writes to
the buffer using the logical buffer_size would then overflow the
heap.
The delay value derives from rate * target_delay where both values
come from stream negotiation properties.
Fix by adding an overflow check on the delay computation and
widening the allocation size to size_t to prevent the second
overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In netjack2_init(), several buffer sizes are computed by multiplying
network-provided session parameters (period_size, channel counts,
kbps) without overflow checks. A malicious network peer can send
crafted session parameters that cause these multiplications to
overflow, resulting in undersized buffer allocations. Subsequent
writes to these buffers then overflow the heap.
Specific issues fixed:
1. midi_size = period_size * sizeof(float) * max_midi_channels can
overflow, causing calloc to allocate a small buffer.
2. encoded_size = max_encoded_size * max_audio_channels can overflow
for both INT and OPUS encoders.
3. OPUS kbps * period_size * 1024 numerator can overflow uint32_t;
widen to uint64_t for the intermediate calculation.
4. Division by zero if sample_rate is 0 in OPUS encoder path.
5. Missing NULL checks on calloc for empty and midi_data buffers.
6. Channel counts not capped to MAX_CHANNELS before use.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
When the system does not provide reallocarray(), pw_reallocarray()
falls back to realloc(ptr, nmemb * size). The multiplication
nmemb * size can silently overflow, causing a smaller-than-expected
allocation. Subsequent writes to the allocation then overflow the
heap buffer.
This function is used extensively throughout PipeWire for allocating
arrays from protocol data, making it a wide attack surface.
Fix by adding an explicit overflow check before the multiplication
in the fallback path, matching the behavior of the real
reallocarray().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In vban_midi_receive(), the received buffer is cast to struct
vban_header and its n_frames field is accessed before validating
that the packet is large enough to contain the header. A truncated
packet shorter than VBAN_HEADER_SIZE would cause an out-of-bounds
read.
Fix by checking that len >= VBAN_HEADER_SIZE before accessing the
header, matching the fix applied to vban_audio_receive().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In vban_audio_receive(), the received buffer is cast to struct
vban_header and its fields are accessed before validating that the
packet is large enough to contain the header. If a truncated packet
shorter than VBAN_HEADER_SIZE is received, this reads past the end
of the buffer.
Additionally, when len < hlen, the plen calculation (len - hlen)
produces a negative ssize_t value which, when used in the unsigned
division plen / stride, gets implicitly converted to a very large
value, potentially causing further out-of-bounds reads.
Fix by checking that len >= VBAN_HEADER_SIZE before accessing the
header.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: Medium
The MD5_hash() function formats password material into a 1024-byte
stack buffer for hashing but never clears it afterward. Similarly,
the Basic auth path in rtsp_add_raop_auth_header() formats
username:password into a stack buffer without clearing it.
These buffers remain on the stack after the functions return, and
could be exposed through memory disclosure vulnerabilities, core
dumps, or memory inspection.
Clear the buffers with explicit_bzero() immediately after they are
no longer needed, consistent with the existing practice of clearing
the password before freeing in impl_destroy().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In netjack2_recv_float(), several values from untrusted network packet
headers are used in arithmetic without overflow protection:
1. active_ports from the network header had no upper bound check. A
very large value causes `active_ports * sub_period_bytes` to
overflow uint32_t, producing a small value that passes the length
check, then the loop iterates out of bounds on the receive buffer.
2. The sub_cycle bounds check `sub_cycle * sub_period_size >
quantum_limit` can overflow, allowing a large sub_cycle to pass
the check and cause an out-of-bounds write when computing the
destination offset.
Fix by capping active_ports to MAX_CHANNELS, casting to size_t for the
length check to prevent overflow, and rewriting the sub_cycle check as
a division to avoid overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In netjack2_recv_midi(), the offset calculation `max_size * sub_cycle`
uses sub_cycle from an untrusted network packet header. A large
sub_cycle value could cause integer overflow, producing a small offset
that passes the subsequent bounds check and leads to an out-of-bounds
write into the MIDI data buffer.
Similarly, the bounds check `offset + len < midi_size` could itself
overflow, and the `used` size calculation from network-controlled
event_count and write_pos fields could overflow to bypass the size
check.
Fix by adding an explicit overflow check before the multiplication,
rewriting the bounds check to use subtraction (which cannot overflow
after the prior check), and adding an underflow check on the `used`
calculation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In ensure_size(), the check `m->length + size <= m->allocated` could
overflow when both m->length and size are large uint32_t values,
wrapping around to a small number and incorrectly passing the bounds
check. This could allow writing past the end of the allocated buffer.
Rewrite the check as `size <= m->allocated - m->length` which cannot
overflow since we already verified m->length <= m->allocated. Also add
an explicit overflow check for the new allocation size calculation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In pw_conf_save_state(), the return value of fdopen() was not checked
for NULL. If fdopen() fails, subsequent fprintf() and fclose() calls
would operate on a NULL FILE pointer, causing a crash. Additionally,
the file descriptor would be leaked since fclose() would not be called.
Added a NULL check after fdopen() that closes the raw fd and returns
an error on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: Medium
The RAOP authentication password was freed without first clearing the
memory contents. This leaves the plaintext password in freed heap
memory where it could be recovered by an attacker with access to
process memory (e.g. via /proc/pid/mem, core dumps, or a separate
memory safety vulnerability).
Use explicit_bzero() to securely clear the password before freeing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In new_setup_simd(), the return value of malloc() for the PFFFT_Setup
struct was not checked before dereferencing. Similarly,
pffft_aligned_malloc() for the data buffer was not checked. If either
allocation fails, the code dereferences NULL causing a crash.
Add NULL checks for both allocations, freeing previously allocated
memory on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
When parsing a DSF audio file, blocksize and channels are read as
uint32_t from untrusted file data and multiplied together for the
buffer allocation. A malicious file could set these to values whose
product overflows, resulting in a small allocation followed by
out-of-bounds writes when the buffer is filled.
Add overflow checking before the multiplication and validate that
neither value is zero. Also use calloc(channels, blocksize) instead
of calloc(1, blocksize * channels) to let calloc perform its own
internal overflow check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In rtsp_do_options_auth(), the return values of strdup() for
auth_method, realm, and nonce were not checked for NULL. If strdup()
fails due to memory exhaustion, spa_streq() on auth_method will
dereference NULL, and the realm/nonce pointers will be used later in
MD5_hash() causing NULL pointer dereferences.
Add NULL checks after each strdup() call, returning -ENOMEM on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In dot_data_init(), the return value of malloc() was not checked before
dereferencing, causing a NULL pointer dereference if allocation fails.
In dot_data_ensure_max_size(), the return value of realloc() was
assigned directly to dd->data without checking for NULL, which both
loses the original pointer (memory leak) and causes a NULL pointer
dereference on subsequent use.
Add NULL checks for both cases. For realloc, use a temporary variable
to preserve the original pointer on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There is nothing wrong with the use of strcat here but security tools
keep complaining about it and creating bad patches for it so fix it
with a strbuf.
Memory Safety: High
Three malloc calls for ring buffers (rec_buffer, play_buffer,
out_buffer) had no NULL checks. If any allocation fails, the
NULL pointers would be passed to memset and ringbuffer
operations in reset_buffers(), causing a NULL pointer
dereference crash.
Additionally, the ring size calculations used uint32_t
arithmetic which could overflow with large user-configurable
buffer.max_size values. Cast to size_t to perform the
multiplication in 64-bit, preventing intermediate overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
strcpy was used to copy port names into fixed-size buffers
(REAL_JACK_PORT_NAME_SIZE+1) without explicit bounds checking.
Port names originate from JACK client API calls and PipeWire
port info, which are external inputs. Replaced with snprintf
using sizeof(destination) to guarantee the copy is always
bounded, preventing potential buffer overflows if source
strings exceed the expected maximum length.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
sprintf was used to format a temporary filename into an alloca'd
buffer. While the buffer was correctly sized (strlen + 5), using
snprintf with an explicit size makes the bound check enforceable
and prevents potential overflow if the sizing logic is modified
in the future.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
sprintf was used to format MD5 hex digest bytes into a fixed-size
buffer without explicit bounds. While the output is bounded by the
fixed MD5 digest length (16 bytes = 32 hex chars), using snprintf
with an explicit size of 3 (2 hex chars + null) ensures correctness
even if the surrounding code changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
sprintf was used to format a /proc path without bounds checking.
While pid_t values are practically bounded, using snprintf with
sizeof(root_path) ensures the buffer cannot overflow regardless
of the input value, following defense-in-depth principles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
