[v1] net: hamradio: fix missing input validation in bpqether and scc

[PATCH net 0/2] net: hamradio: fix missing input validation in bpqether and scc

Mashiro Chen posted 2 patches 2 months, 1 week ago

Diff against v2
Download series mbox

There is a newer version of this series

drivers/net/hamradio/bpqether.c | 3 +++
drivers/net/hamradio/scc.c      | 2 ++
2 files changed, 5 insertions(+)

Expand all Fold all

[PATCH net 0/2] net: hamradio: fix missing input validation in bpqether and scc

Posted by Mashiro Chen 2 months, 1 week ago

Two fixes for missing input validation in the hamradio drivers:

- bpqether: bpq_rcv() computes frame length as data[0] + data[1]*256 - 5,
  which can underflow when the length fields encode a value less than 5.
  The resulting negative value is subsequently used as an unsigned length,
  leading to out-of-bounds access.

- scc: the SIOCSCCSMEM ioctl accepts a bufsize of 0 without validation.
  When a receive interrupt fires, dev_alloc_skb(0) allocates an skb with
  an empty data area, and the subsequent skb_put_u8() calls write into
  the adjacent skb_shared_info, corrupting heap memory.

Both fixes are minimal, adding only a bounds check before the dangerous
operation.

Mashiro Chen (2):
  net: hamradio: bpqether: validate frame length in bpq_rcv()
  net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl

 drivers/net/hamradio/bpqether.c | 3 +++
 drivers/net/hamradio/scc.c      | 2 ++
 2 files changed, 5 insertions(+)

-- 
2.53.0