archive/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-08-16 06:31:34 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Browse source 
Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
	type = 0x1,
	ver = 0x1,
	code = 0x0,
	sid = 0x2,
        length = 0x0,
	tag = 0xffff8880371cdb96
}

from the skb struct (trimmed)
      tail = 0x16,
      end = 0x140,
      head = 0xffff88803346f400 "4",
      data = 0xffff88803346f416 ":\377",
      truesize = 0x380,
      len = 0x0,
      data_len = 0x0,
      mac_len = 0xe,
      hdr_len = 0x0,

it is not safe to access data[2].

Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
[pabeni@redhat.com: fixed subj typo]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Arnaud Lecomte 2025-04-08 17:55:08 +02:00 committed by Paolo Abeni
parent 0bb2f7a1ad
commit aabc6596ff
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
drivers/net/ppp/ppp_synctty.c
View file

@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
unsigned char *data;
int islcp;
/* Ensure we can safely access protocol field and LCP code */
if (!pskb_may_pull(skb, 3)) {
kfree_skb(skb);
return NULL;
}
data = skb->data;
proto = get_unaligned_be16(data);