Memory Safety: High
Multiple AVB AECP AEM command handler functions copied network packet
data into stack buffers via memcpy(buf, m, len) without validating
that len fits within the destination buffer. A crafted AVB packet with
an oversized length could overflow the stack buffer.
Added bounds validation before each memcpy in:
- cmd-available.c: handle_cmd_entity_available_milan_v12
- cmd-get-set-configuration.c: set and get configuration handlers
- cmd-get-set-sampling-rate.c: unsolicited, invalid response, and get handlers
- cmd-get-set-stream-format.c: get and set stream format handlers
- cmd-lock-entity.c: handle_cmd_lock_entity_milan_v12
This matches the bounds checking pattern already used in
cmd-get-set-control.c, cmd-get-set-clock-source.c, and
cmd-get-set-name.c.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. The period calls were added to handle timeouts.
2. Handle the case where lock must be unlocked after 60s if the
controller owning the locked does not release it.
Fix two bugs in handle_cmd_lock_entity_milan_v12():
1. When server_find_descriptor() returns NULL, reply_status() was called
with the AEM packet pointer instead of the full ethernet frame,
corrupting the response ethernet header.
2. When refreshing an existing lock, the expire timeout was extended by
raw seconds (60) instead of nanoseconds (60 * SPA_NSEC_PER_SEC),
causing the lock to expire almost immediately after re-lock.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
In the current state the GET/SET stream format can handle the commands
response however, yet, it does not take care of checking that:
* A bound input stream cannot have it set, should reply accordingly
* A STREAMING_STREAM output stream cannot have it set, should reply
accordingly.
