From nobody Mon Jun 15 02:47:42 2026 Received: from mout-y-209.mailbox.org (mout-y-209.mailbox.org [91.198.250.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12CE12BE035; Tue, 7 Apr 2026 17:16:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.198.250.237 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582204; cv=none; b=DrG5bCAdgQXpjPUBFpWfr5pR1pVE3o83tXd1hX3+LmmMsMQdeg60wXOVf07DwXt1XzI+h5O0E0D5FY8lrVCxUy0QW9guUKoRcvgOyN+34E1ghDdbIepjIDTmVhWqfRNpIyRxcNgdvJEWq63Le5Bdlh6yWkJITkosOckDDEBlrws= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582204; c=relaxed/simple; bh=S1s7t0qxPLR+Wu6IrpCWOCzO0KI6aMMAIzbPhQze8dE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nuN6Ihv0tmaQ95r2QcSCv34KDvHu7cVQk0pRXO6AA7K4aKool/eEBUNE08WYnUckglFhUwLbOAstB+HaY6aoiLI0S7W0WUIj1aZqAp4jRyakPHVOtWrGWmwegzttYu4A1wulGrnujm1zkbuUeiyLAQn1gYQJSMIWEHPEfMiFUas= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org; spf=pass smtp.mailfrom=mailbox.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=Wxd84ybw; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=SNLzR2Pj; arc=none smtp.client-ip=91.198.250.237 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mailbox.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="Wxd84ybw"; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="SNLzR2Pj" Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-y-209.mailbox.org (Postfix) with ESMTPS id 4fqtCW33JzzB13t; Tue, 7 Apr 2026 19:16:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775582199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1v6l6ggIcHGJfAXaqraM+g7rypwRkEBNny4DxxaeFHE=; b=Wxd84ybwa0vwd7wfgOrNz99RYXoeEJL/QYt2ZYsHw69O+gGDBkRWi2anUFQs46BYhcPYYK RdrqlTbV3GFlRA9uK2E1esohFjf8OjHCjitEZkqGZ8skx41C+7bmqYmAp9ouS7arzBJECw jJ6ge+Pnvkw8GGSHds/gYLB0gRy3OUdWRWPWOEL6zsnwTbNBs+m1qmpbWcxyoTIAXNaGRn 8xVDALU1fjbiTdEoVS3Uy8Hg+nvitEvbiu6PFqgmNWwS3FSndKloRrWrnP013gMHh7V/Zr 1vIMiqwFtiqRfEVwKvOY05KjW1ke1eHhZ8Ir4kGfGr19RXNenDvwH9+p9n+hPA== From: Mashiro Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775582197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1v6l6ggIcHGJfAXaqraM+g7rypwRkEBNny4DxxaeFHE=; b=SNLzR2Pjkvz6NOy/qSjz8Ljq6rlDMATii2ek2l0d9W4XJ04KYlD99ujK3evcZGouXDJTCf W/w8BfJMW3JErSel8vcVxKWcYZUnsZ79I4ItuIgzF87f5MJfOq+uV7ynNPYGY2hU8NzA0n yHpEStwcjVWb32R8/JXyl+3RM8/opucVqdw8qUk62eHJGPS+ffe5ihKR9qoSVSta3Oi+aw jWmIBovhp77EvuTH5C0e/FgGjp4P/pire+BirvLvYBFf0qqAgu7YeySltWyeU9JTO78jbk /+9NHZQQp4YEghvcnc8jX2dVPjwkFSCCS/wlIABNtDXgJuFzcvFNRXbww8vn1A== To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org, ben@decadent.org.uk, linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Mashiro Chen Subject: [PATCH 1/3] net: netrom: fix integer overflow in nr_queue_rx_frame() Date: Wed, 8 Apr 2026 01:15:58 +0800 Message-ID: <20260407171600.102988-2-mashiro.chen@mailbox.org> In-Reply-To: <20260407171600.102988-1-mashiro.chen@mailbox.org> References: <20260407171600.102988-1-mashiro.chen@mailbox.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MBO-RS-ID: 9eca7da4d5761a80a81 X-MBO-RS-META: jrbyq1cbex73jz6jbqfz1d1wpz88kr4g Content-Type: text/plain; charset="utf-8" nr_sock.fraglen is declared as unsigned short, so accumulating received fragment lengths via nr->fraglen +=3D skb->len; can silently wrap around to a small value once the total exceeds 65535 bytes. When the final fragment arrives (NR_MORE_FLAG clear), the wrapped fraglen is passed to alloc_skb(), which allocates an undersized buffer. The subsequent skb_put() and skb_copy_from_linear_data() loop then writes the actual full data into it, resulting in a heap buffer overflow. An attacker with NR_STATE_3 access (i.e. after completing a NET/ROM connection handshake, which open BBS/node services allow to any callsign) can trigger this by sending a stream of NR_INFO frames with the MORE flag set until fraglen wraps, followed by a final NR_INFO frame. Fix by checking whether adding the incoming skb's length to the accumulated fraglen would exceed USHRT_MAX before each accumulation. If so, purge the fragment queue, reset fraglen, and return an error to signal receive-busy to the caller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Mashiro Chen --- net/netrom/nr_in.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c index 97944db6b5ac6..0b7cdb99ae501 100644 --- a/net/netrom/nr_in.c +++ b/net/netrom/nr_in.c @@ -36,12 +36,22 @@ static int nr_queue_rx_frame(struct sock *sk, struct sk= _buff *skb, int more) nr_start_idletimer(sk); =20 if (more) { + if ((unsigned int)nr->fraglen + skb->len > USHRT_MAX) { + skb_queue_purge(&nr->frag_queue); + nr->fraglen =3D 0; + return 1; + } nr->fraglen +=3D skb->len; skb_queue_tail(&nr->frag_queue, skb); return 0; } =20 if (!more && nr->fraglen > 0) { /* End of fragment */ + if ((unsigned int)nr->fraglen + skb->len > USHRT_MAX) { + skb_queue_purge(&nr->frag_queue); + nr->fraglen =3D 0; + return 1; + } nr->fraglen +=3D skb->len; skb_queue_tail(&nr->frag_queue, skb); =20 --=20 2.53.0 From nobody Mon Jun 15 02:47:42 2026 Received: from mout-y-111.mailbox.org (mout-y-111.mailbox.org [91.198.250.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED2D4282F3C; Tue, 7 Apr 2026 17:16:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.198.250.236 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582215; cv=none; b=jeIp5Q6ofm2WHegAnTNoY2Web8q91qEAkm4Z9KowBc2+h96qJzrSGKnPDRylk7FmqR5WclBuu5NwNzuqhlntJOrggBvRstAUMGpmtKpvJH1WEthfmyKfV+Dp3sXiDiYCnm3bCiuoR0D8VAh+/7Io8fBIeTS6U+xPMw9zj0iSfJc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582215; c=relaxed/simple; bh=lNbAbHwxHKZFHHrzTeI0AeLDz4Y8BZYZmp3wCUkMGII=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LPUZk/9jgYrs0KGvetefEjuiG+ECkFy+RMlGl2y3ULkwlzevIQc0BehH3Aq0XwjivHWaDgMcgIV9kqetZp1f1exUpS8sjyRrmrh6J7DESPwCjR7c7pWueDkJ34J3TumHva5c/XkjIVqj3nUkHzXIiGsaOG52NqV4VFbjVXjRgDg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org; spf=pass smtp.mailfrom=mailbox.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=DdJZOZLR; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=aoAPW8TN; arc=none smtp.client-ip=91.198.250.236 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mailbox.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="DdJZOZLR"; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="aoAPW8TN" Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-y-111.mailbox.org (Postfix) with ESMTPS id 4fqtCd3sN0z9yfX; Tue, 7 Apr 2026 19:16:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775582205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0fYS6IEnQ+3QYHVXEGJ74yFJNn8NjKjbrhRrRsTc6c8=; b=DdJZOZLRoGpnR3XJjtT46qvHNiI+NnaH9vAf0v7k/9qq4CIWPzWMp4zHLvODPXD/JbttAn 3NpXbezOVcCaoqUbNGbzLhhVKd+wjbGdMt2qmOKf9SK30GcfHyFCNKk60hhaykRILJk1f8 cqXDNY74R3sAaL9rPRX+68LbvS4UoaAQo0yiGv8GOo+gQWQ8SxCl10aaA5Ld5Us3kBRr1b aOZxhWjM6aFWcL1BZsjPGRFIgSFB3/IJaP0tjnI6hsr0abl7EpCDRhcFfoa2cHCusHxN+f 9TL591KgKGNgR0vd/Wf9j7DJGpGba0OOZGX1wy/3/iiB5vzT26pw4iGrFIXr/A== From: Mashiro Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775582203; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0fYS6IEnQ+3QYHVXEGJ74yFJNn8NjKjbrhRrRsTc6c8=; b=aoAPW8TNEbSIOUcedqMV4bgL0T+tfpBed/slHMOCUPfnbQWQZfVKee0NeaGQ+z4fzfEEPH uMgGN4aY9INqa2zfVUzKg1yXDJYVuSDOxGM7coltljedPHyw4ObdPOjdGMw5eUIkqugf5d shkCGZirQ8o2PP70l3/I+Q7FRkQs1uty8fjSedAQRVlEH9uO3nstzQUNNRQHbUllYikuIe Gsh6QZgeeKan1NvNLM3k580fPkTYnMOiUfbtjutpbGwCIeoLWvunQL04XuDiREUXOIB/HL Bb/euXMvHR0beL7YLzSYB68LSbkES7V3tYnnBsgj3egFynwh7xLJI0Z9zOH06g== To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org, ben@decadent.org.uk, linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Mashiro Chen Subject: [PATCH 2/3] net: netrom: validate source address in nr_find_socket() Date: Wed, 8 Apr 2026 01:15:59 +0800 Message-ID: <20260407171600.102988-3-mashiro.chen@mailbox.org> In-Reply-To: <20260407171600.102988-1-mashiro.chen@mailbox.org> References: <20260407171600.102988-1-mashiro.chen@mailbox.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MBO-RS-META: 5eqrh6rnt6ixrryjpyx4pdcrpgb1utua X-MBO-RS-ID: 9fb3265130a864cf652 Content-Type: text/plain; charset="utf-8" nr_find_socket() dispatches incoming NR_INFO frames into a connected socket by matching the frame's circuit index/id pair (bytes[15-16]) against the socket's my_index/my_id. It performs no validation of the frame's source callsign against the socket's dest_addr. This means any node on the network can craft an NR_INFO frame with a guessed or brute-forced circuit index/id pair and have it accepted into an arbitrary STATE_3 connection as if it came from the legitimate peer. Circuit IDs are assigned sequentially starting at (1,1), making them predictable in practice. This is exploited in concert with CVE-XXXX-XXXXX (nr_queue_rx_frame fraglen overflow): an attacker can inject NR_INFO | NR_MORE_FLAG frames into an existing connection without owning a connection themselves, driving the victim socket's fraglen to wrap and triggering the heap overflow entirely unauthenticated (CVSS PR:N). Fix by adding a source address parameter to nr_find_socket() and requiring it to match the socket's recorded dest_addr for all frame-dispatch lookups. The internal nr_find_next_circuit() caller, which only checks for circuit ID availability, passes NULL to skip the source check. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Mashiro Chen --- net/netrom/af_netrom.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index b605891bf86e4..73742cc9e9e42 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -162,7 +162,8 @@ static struct sock *nr_find_listener(ax25_address *addr) /* * Find a connected NET/ROM socket given my circuit IDs. */ -static struct sock *nr_find_socket(unsigned char index, unsigned char id) +static struct sock *nr_find_socket(unsigned char index, unsigned char id, + const ax25_address *src) { struct sock *s; =20 @@ -170,7 +171,8 @@ static struct sock *nr_find_socket(unsigned char index,= unsigned char id) sk_for_each(s, &nr_list) { struct nr_sock *nr =3D nr_sk(s); =20 - if (nr->my_index =3D=3D index && nr->my_id =3D=3D id) { + if (nr->my_index =3D=3D index && nr->my_id =3D=3D id && + (!src || !ax25cmp(&nr->dest_addr, src))) { sock_hold(s); goto found; } @@ -219,7 +221,8 @@ static unsigned short nr_find_next_circuit(void) j =3D id % 256; =20 if (i !=3D 0 && j !=3D 0) { - if ((sk=3Dnr_find_socket(i, j)) =3D=3D NULL) + sk =3D nr_find_socket(i, j, NULL); + if (!sk) break; sock_put(sk); } @@ -926,7 +929,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device = *dev) if (frametype =3D=3D NR_CONNREQ) sk =3D nr_find_peer(circuit_index, circuit_id, src); else - sk =3D nr_find_socket(circuit_index, circuit_id); + sk =3D nr_find_socket(circuit_index, circuit_id, src); } =20 if (sk !=3D NULL) { --=20 2.53.0 From nobody Mon Jun 15 02:47:42 2026 Received: from mout-y-111.mailbox.org (mout-y-111.mailbox.org [91.198.250.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 537C529A32D; Tue, 7 Apr 2026 17:16:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.198.250.236 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582215; cv=none; b=f9rftv/5iKHPJ1NK9FCA1TzMPMBm+HSCTfpIDzCkSeVs10BXBgQUUmvqBVkZuGXM5j+sorOuv/tOdQLeMBNoepmY5fmm/aYRQ3NLYk9tH7o/td0ohrkYG8/uyh+gTMXGUz6wsvFb05SIQN7uHyqsZUEat2fdBlOP+hSiumKAr7I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775582215; c=relaxed/simple; bh=JJVkIYc4QeMaXv0+jeeT3ZERGYORXGA//lejIPzfmHc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DOzLhaxGIPILv5xm3MA6vKP1gCBjWYGJntB4wq9vM5yzdCbbUWzhN4RvBniVlC9KNdhK3uPacNIDz4otnC13ZGuBUnqN7ECELh1g0WYSbtYNfZkSXxoAxaTa2PZO3PXduyqfSA2S0EgjYiiYLF7mzYa9J4rzAseIyzo9gy/EjN0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org; spf=pass smtp.mailfrom=mailbox.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=UKCo8w/U; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=ETCKHEAG; arc=none smtp.client-ip=91.198.250.236 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mailbox.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="UKCo8w/U"; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="ETCKHEAG" Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-y-111.mailbox.org (Postfix) with ESMTPS id 4fqtCm4Zrvz9ygJ; Tue, 7 Apr 2026 19:16:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775582212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rgFVaIjlD4A8Cx+RdINvJRUtP4IuJzJROGNudSylLXY=; b=UKCo8w/UztBcuC3mzhxmbsdpI+1n+HUx0vHoU+KIGk9m2I+JtJO9qR55UrijrJXJCWcWhT D0Er0JsbCAyJkVFE4XAVMNBo5qfKsxOb1JJ/YDNfqH3WD04CRufZtRyZdzri75tL6z30P6 MWbxmaMdzsQKx1UYPpTDCzARa84f899ZL2I7VJm3H53grRkc7RQx3+pNpTaqHm8rC/jo5q Zrg+IC/4wSEs/PmTxZmfnW8nulw1jKHHkVXZGBCVHSO88KA4+uSBknLscPvbEMq1ZYdcEk blgudi2uNvGEefDbhUO9HpuT9uio2CWZV9OSDVQmc5RqgANoQbxasqL3Dr7Z/w== Authentication-Results: outgoing_mbo_mout; dkim=pass header.d=mailbox.org header.s=mail20150812 header.b=ETCKHEAG; spf=pass (outgoing_mbo_mout: domain of mashiro.chen@mailbox.org designates 2001:67c:2050:b231:465::1 as permitted sender) smtp.mailfrom=mashiro.chen@mailbox.org From: Mashiro Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775582211; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rgFVaIjlD4A8Cx+RdINvJRUtP4IuJzJROGNudSylLXY=; b=ETCKHEAGEx1/0K4Si+rx99YtXPh6gyHsGXF2b44aqYG7rMlsD3WcP+DRhvmqr6MRwfBCeO lNKUoIZQeTERS5oJtAA7W0gSNOVrm2HynpoLNbk7BYWYhRgGjX8csuDxkD96LMF1Bc9j8i r/B8m520w2IInxRNdeIs94bwBUnRdplCYVqUJR/x+oD6+UKmqBnO0DG8DrgxridVYq90KR Q3ZM/JmufAqeMhoNYQ6/HLPNAQhpAcH8RpJqtR++h6V9C2Aba5s4LfszE0jELJSYpLv8DR IRsoBUcOGk00mmTjDlqCfzq/PiR5ZjWr2VQfbarDusdWGzet5MtJVDfWnNjshQ== To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org, ben@decadent.org.uk, linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Mashiro Chen Subject: [PATCH 3/3] net: rose: fix out-of-bounds read in rose_parse_ccitt() Date: Wed, 8 Apr 2026 01:16:00 +0800 Message-ID: <20260407171600.102988-4-mashiro.chen@mailbox.org> In-Reply-To: <20260407171600.102988-1-mashiro.chen@mailbox.org> References: <20260407171600.102988-1-mashiro.chen@mailbox.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MBO-RS-META: ji1yzs1c3jzcptsf51sujisbnqip7w8b X-MBO-RS-ID: 73475cd51da76a5cfc5 X-Rspamd-Queue-Id: 4fqtCm4Zrvz9ygJ Content-Type: text/plain; charset="utf-8" rose_parse_ccitt() handles 0xC0-class facilities by reading l =3D p[1] and validating 10 <=3D l <=3D 20, but never checks whether the remaining buffer actually contains l + 2 bytes before accessing p + 7 and p + 12 via memcpy(). An attacker can send a ROSE_CALL_REQUEST frame with a crafted CCITT facility whose declared length fits the 10-20 range but whose actual data is truncated. This causes the kernel to read up to l + 2 bytes beyond the end of the facilities field, leaking adjacent skb data. By contrast, rose_parse_national() already performs the equivalent check (if (len < 2 + l) return -1) for all its 0xC0-class cases. Add the same check to rose_parse_ccitt() before any data access. Fixes: e0bccd315db0 ("rose: Add length checks to CALL_REQUEST parsing") Cc: stable@vger.kernel.org Signed-off-by: Mashiro Chen --- net/rose/rose_subr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c index 4dbc437a9e229..a902ddeddc5bd 100644 --- a/net/rose/rose_subr.c +++ b/net/rose/rose_subr.c @@ -370,6 +370,9 @@ static int rose_parse_ccitt(unsigned char *p, struct ro= se_facilities_struct *fac if (l < 10 || l > 20) return -1; =20 + if (len < 2 + l) + return -1; + if (*p =3D=3D FAC_CCITT_DEST_NSAP) { memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN); memcpy(callsign, p + 12, l - 10); --=20 2.53.0