pipewire

mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00

Wim Taymans 42d51098ae security: validate recv length and use overflow-safe bounds in NetJack2 OPUS/INT Memory Safety: High The netjack2_recv_opus() and netjack2_recv_int() functions had two issues: 1. Missing recv length validation: after recv(), neither function checked that the received data was at least sizeof(header) bytes. A short packet would cause the pointer to advance past received data, reading uninitialized VLA memory into the encoded buffer. 2. Integer overflow in bounds check: the expression (active_ports-1)max_encoded + sub_cyclesub_period_bytes + data_size uses sub_cycle from the network packet header. A large sub_cycle value can overflow the uint32_t multiplication, wrapping around to a small value and bypassing the encoded_size bounds check, leading to an out-of-bounds write into encoded_data. Additionally, validate that the received data is large enough for the active_ports * data_size memcpy to prevent reading past the buffer. Fix by adding recv length checks, using spa_overflow_mul/add for the bounds arithmetic, and validating recv'd data covers the copy region. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-27 12:47:55 +02:00
..
packets.h	security: fix out-of-bounds read from non-null-terminated netjack2 strings	2026-04-24 15:55:35 +02:00
peer.c	security: validate recv length and use overflow-safe bounds in NetJack2 OPUS/INT	2026-04-27 12:47:55 +02:00

Wim Taymans 42d51098ae security: validate recv length and use overflow-safe bounds in NetJack2 OPUS/INT

Memory Safety: High

The netjack2_recv_opus() and netjack2_recv_int() functions had two
issues:

1. Missing recv length validation: after recv(), neither function
   checked that the received data was at least sizeof(header) bytes.
   A short packet would cause the pointer to advance past received
   data, reading uninitialized VLA memory into the encoded buffer.

2. Integer overflow in bounds check: the expression
   (active_ports-1)*max_encoded + sub_cycle*sub_period_bytes + data_size
   uses sub_cycle from the network packet header. A large sub_cycle
   value can overflow the uint32_t multiplication, wrapping around to
   a small value and bypassing the encoded_size bounds check, leading
   to an out-of-bounds write into encoded_data.

Additionally, validate that the received data is large enough for the
active_ports * data_size memcpy to prevent reading past the buffer.

Fix by adding recv length checks, using spa_overflow_mul/add for the
bounds arithmetic, and validating recv'd data covers the copy region.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-27 12:47:55 +02:00

packets.h

security: fix out-of-bounds read from non-null-terminated netjack2 strings

2026-04-24 15:55:35 +02:00

peer.c

security: validate recv length and use overflow-safe bounds in NetJack2 OPUS/INT

2026-04-27 12:47:55 +02:00