From: David Laight <david.laight.linux@gmail.com>
To: Junrui Luo <moonafterrain@outlook.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Sjur Braendeland <sjur.brandeland@stericsson.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>
Subject: Re: [PATCH] caif: fix integer underflow in cffrml_receive()
Date: Thu, 11 Dec 2025 13:26:16 +0000 [thread overview]
Message-ID: <20251211132616.0dd2c103@pumpkin> (raw)
In-Reply-To: <SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Thu, 04 Dec 2025 21:30:47 +0800
Junrui Luo <moonafterrain@outlook.com> wrote:
> The cffrml_receive() function extracts a length field from the packet
> header and, when FCS is disabled, subtracts 2 from this length without
> validating that len >= 2.
>
> If an attacker sends a malicious packet with a length field of 0 or 1
> to an interface with FCS disabled, the subtraction causes an integer
> underflow.
>
> This can lead to memory exhaustion and kernel instability, potential
> information disclosure if padding contains uninitialized kernel memory.
>
> Fix this by validating that len >= 2 before performing the subtraction.
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
> net/caif/cffrml.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
> index 6651a8dc62e0..d4d63586053a 100644
> --- a/net/caif/cffrml.c
> +++ b/net/caif/cffrml.c
> @@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
> len = le16_to_cpu(tmp);
>
> /* Subtract for FCS on length if FCS is not used. */
> - if (!this->dofcs)
> + if (!this->dofcs) {
> + if (len < 2) {
> + ++cffrml_rcv_error;
> + pr_err("Invalid frame length (%d)\n", len);
Doesn't that let the same remote attacker flood the kernel message buffer?
David
> + cfpkt_destroy(pkt);
> + return -EPROTO;
> + }
> len -= 2;
> + }
>
> if (cfpkt_setlen(pkt, len) < 0) {
> ++cffrml_rcv_error;
>
> ---
> base-commit: 559e608c46553c107dbba19dae0854af7b219400
> change-id: 20251204-fixes-23393d72bfc8
>
> Best regards,
next prev parent reply other threads:[~2025-12-11 13:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-04 13:30 [PATCH] caif: fix integer underflow in cffrml_receive() Junrui Luo
2025-12-09 19:13 ` Simon Horman
2025-12-11 9:40 ` patchwork-bot+netdevbpf
2025-12-11 13:26 ` David Laight [this message]
2025-12-15 11:33 ` Junrui Luo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251211132616.0dd2c103@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=danisjiang@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moonafterrain@outlook.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sjur.brandeland@stericsson.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.