From: Joerg Reuter <jreuter@yaina.de>
To: Mashiro Chen <mashiro.chen@mailbox.org>
Cc: netdev@vger.kernel.org, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, linux-hams@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl
Date: Wed, 8 Apr 2026 22:51:05 +0200 [thread overview]
Message-ID: <ada_uT5lwgXA3nK9@yaina.de> (raw)
In-Reply-To: <20260408172358.281186-3-mashiro.chen@mailbox.org>
Hi,
Am Thu, Apr 09, 2026 at 01:23:58AM +0800 schrieb Mashiro Chen:
> If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive
> interrupt handler later calls dev_alloc_skb(0) and immediately writes
> a KISS type byte via skb_put_u8() into a zero-capacity socket buffer,
> corrupting the adjacent skb_shared_info region.
Oops, that's unfortunate.
> The scc.c comment already states the buffer must not exceed 4096 bytes,
> but this limit is never enforced.
That was a limit 30 years ago when we couldn't have skbs larger than one
page.
I'm not sure if anyone is actually using AX.25 jumbograms with a Zilog SCC
controller, that doesn't make much sense to me. But maybe someone out there
is indeed running IP over huge AX.25 UI frames, thus I'm not a fan of
enforcing an upper limit either. It's hamradio, you're supposed to tinker.
I'm okay with a mininum size of 16, of course.
73,
Joerg
--
Joerg Reuter http://yaina.de/jreuter
And I make my way to where the warm scent of soil fills the evening air.
Everything is waiting quietly out there.... (Anne Clark)
prev parent reply other threads:[~2026-04-08 20:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 17:23 [PATCH net 0/2] net: hamradio: fix missing input validation in bpqether and scc Mashiro Chen
2026-04-08 17:23 ` [PATCH net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv() Mashiro Chen
2026-04-08 21:05 ` Joerg Reuter
2026-04-08 17:23 ` [PATCH net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl Mashiro Chen
2026-04-08 20:51 ` Joerg Reuter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ada_uT5lwgXA3nK9@yaina.de \
--to=jreuter@yaina.de \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mashiro.chen@mailbox.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.