From: Simon Horman <horms@kernel.org>
To: Junrui Luo <moonafterrain@outlook.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Sjur Braendeland <sjur.brandeland@stericsson.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Yuhao Jiang <danisjiang@gmail.com>
Subject: Re: [PATCH] caif: fix integer underflow in cffrml_receive()
Date: Tue, 9 Dec 2025 19:13:33 +0000 [thread overview]
Message-ID: <aTh03SMwEsCB_fh3@horms.kernel.org> (raw)
In-Reply-To: <SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com>
On Thu, Dec 04, 2025 at 09:30:47PM +0800, Junrui Luo wrote:
> The cffrml_receive() function extracts a length field from the packet
> header and, when FCS is disabled, subtracts 2 from this length without
> validating that len >= 2.
>
> If an attacker sends a malicious packet with a length field of 0 or 1
> to an interface with FCS disabled, the subtraction causes an integer
> underflow.
>
> This can lead to memory exhaustion and kernel instability, potential
> information disclosure if padding contains uninitialized kernel memory.
>
> Fix this by validating that len >= 2 before performing the subtraction.
>
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Hi Junrui,
I agree with your analysis and that the problem was introduced
by the cited commit.
I think that this function could benefit with a goto label that is jumped
to by all of the cases that follow the same error handling logic as this
one - I count 4 including this one. But as a minimal bug fix I agree this
is a good approach.
No need to repost, but in future please consider targeting networking
bug fixes at the net tree like this:
Subject: [PATCH net] ...
Reviewed-by: Simon Horman <horms@kernel.org>
...
next prev parent reply other threads:[~2025-12-09 19:13 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-04 13:30 [PATCH] caif: fix integer underflow in cffrml_receive() Junrui Luo
2025-12-09 19:13 ` Simon Horman [this message]
2025-12-11 9:40 ` patchwork-bot+netdevbpf
2025-12-11 13:26 ` David Laight
2025-12-15 11:33 ` Junrui Luo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTh03SMwEsCB_fh3@horms.kernel.org \
--to=horms@kernel.org \
--cc=danisjiang@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moonafterrain@outlook.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sjur.brandeland@stericsson.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.