From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1809631328D
	for <linux-kernel@vger.kernel.org>; Thu, 11 Dec 2025 13:26:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765459583; cv=none; b=fH8DJYVCdzWXd8V5arwim5f/ZLpuNffAV/cV/ywKeWOcPRqtwdxMlmWMw0xbEqGN4Xc9qmdqKEI5oeld3XJ73OkDPJbux/SrE+5zvhcCrxzgfQb3I8zWwbq9EbECzMkzbgDxgMl/FWGlwcb+3qrdQS6LOsVAC0FRE+kiGjE1E+c=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765459583; c=relaxed/simple;
	bh=g4EZtkPk8SWeZdiy6hP00m8tmMqkLZiYMlk+LWYtQUQ=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=ZgOFxWNq/EMkeFFZ0xH23tyt0hwx0dgfzhl8/KNre3dDLlb7DEcxqAFjUCpOcN1nZ9e9JWoEP9bpcGEOzJTHitp2inwUY2xfUrcDBSZB5JEkPiw+84+YSrqAgMx4E5rHAdE6/3E0vpknsnX90a4Kjn96cLnJ2zLfsynqVTg4QcE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=L8MxOb2u; arc=none smtp.client-ip=209.85.128.54
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="L8MxOb2u"
Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-477bf34f5f5so998265e9.0
        for <linux-kernel@vger.kernel.org>; Thu, 11 Dec 2025 05:26:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765459579; x=1766064379; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ZlfuqWd+wXy1Z6z/5IbBi7MVW3SrOYuOUgMVtqsk6rQ=;
        b=L8MxOb2uljsVbiEyIovNw3uL7W7zHBpVLh+IgmGwnmIyulhbXw1qevwovmiK6aj60L
         PJhbIgFIu7x77pxe9LpyKa2qjzHpi6w+Ak95hszwXgIdkEaP2IDAdo39Hgx8KgJ0Edrq
         fBK3UoBKAPhwEUvKL2DxsQ9mO0jRU7+WqxyeXp4ke2uQ0qQvdvnwxvSnuuSR/f8ovL1Y
         hKTj1WSlzRNVehjZwjg2jBK+BUn0ueeu5oTav8N1l52bHFHq8Jlm3Q90TdkBqzVLeAhY
         /d7c31l2Gb6kDsACyuQlcXg6nAYDP+Xocz5p61ynDD/tdc6u/VWGsQbrCPnqBrP8avdv
         /f0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765459579; x=1766064379;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=ZlfuqWd+wXy1Z6z/5IbBi7MVW3SrOYuOUgMVtqsk6rQ=;
        b=RzLmv/YzNPxA7Xd+QcLztXOOCj+1YpjRbspUrbbyIpzB8VIxT02N8rZw1wf0n1YkTa
         lQEDWGfZNCeg5y4/uiR8AVynknAZVqAsDuIBAjFEOIDmAH6WyYJsvKTklNUueMTLxngs
         mJF5Eb0ggBn4OuhG4zGfLhnxsB/Qqv3rcPXdw6ve3WRNHiTrXpOeRzWs7iV8eUbbYpYB
         3ultkzhxYx6M2/Ypxrxa09zDtbwEXIkW7t4Ww5BCJYE2k65EFEncM7EG5KbtujqlDe2c
         HFX28CBG/dJlV3KmTXLsyRxujb4eneLMEVsptHFK3TW+zwXCTQHZd0BM13DNqHfQ4qgW
         PIWw==
X-Forwarded-Encrypted: i=1; AJvYcCXllTweeuf1NLcUPWmh4UInrN6ZCgg14v3T+fXpZ/Kw0HFORgfZPr2W3QiPNG3zYqqdRl8RbSZq5usJte0=@vger.kernel.org
X-Gm-Message-State: AOJu0YxLnOxmCiIDk4Bx5nfMoLvjcWvIUPCY3hUsKi7cBn2q85U+9tVN
	6zUs1CVegOkJr1v+XkjUN9Zi9sCtp8byRA1g0ucLWywe+zwgUf0igkkP
X-Gm-Gg: AY/fxX5ftHcwmBxAGqhd056BbFBMhTG4cFEg8szU92wK+Bm2+ha+P8KKSu9D1oUoM9s
	j92CqTDaBUkoS2LikfyVZo/vSBzrp6hbMEOLQM5KFsE1TlAChkQYr7auQY4Yq54J3OsSlu1BvGo
	+SgEfcjYL1gKl4OsvhFe2O77AohDZGDSzgrrrSZhVf6hJzftAsrb/Szzod0ncHYBcer50brUAJE
	MzN2p/9YVhqhfWeGNWhu9DdjVg3LrcqTMkKrSBC3lhUYdrlhdBo2OEt/YFbyXqNquzms4LtRTaj
	d+TH5wkEBdYTXI55sRNTZEH/akT0HLLkzqP/xYDx2Luoqqo9nYET4kwt+23Tn+rTRcT1cQ6nP1m
	2+ajule89i+F0vMoDUZNmHIpMpt0uCkuBpefc0hNYFqUZyKhl5JOoZdoACgdYg8Qb6vLG2qMz1z
	PtQHfLY3azzEsyaz9q204uu90ct0aabPHWfbNWGKvUOX/GtqU/swhZ
X-Google-Smtp-Source: AGHT+IH6movm7b2euzwcgRjXCZdmfEYd3c5Akj56OpLE2KX8CWu2MNAl4nC6XLt32a72nqxw++BF1w==
X-Received: by 2002:a05:6000:2c11:b0:42b:4139:5794 with SMTP id ffacd0b85a97d-42fa3b12ba1mr6655880f8f.58.1765459578915;
        Thu, 11 Dec 2025 05:26:18 -0800 (PST)
Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42fa8b9b259sm5539863f8f.41.2025.12.11.05.26.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Dec 2025 05:26:18 -0800 (PST)
Date: Thu, 11 Dec 2025 13:26:16 +0000
From: David Laight <david.laight.linux@gmail.com>
To: Junrui Luo <moonafterrain@outlook.com>
Cc: "David S. Miller" <davem@davemloft.net>, Eric Dumazet
 <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni
 <pabeni@redhat.com>, Simon Horman <horms@kernel.org>, Sjur Braendeland
 <sjur.brandeland@stericsson.com>, netdev@vger.kernel.org,
 linux-kernel@vger.kernel.org, Yuhao Jiang <danisjiang@gmail.com>
Subject: Re: [PATCH] caif: fix integer underflow in cffrml_receive()
Message-ID: <20251211132616.0dd2c103@pumpkin>
In-Reply-To: <SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com>
References: <SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 04 Dec 2025 21:30:47 +0800
Junrui Luo <moonafterrain@outlook.com> wrote:

> The cffrml_receive() function extracts a length field from the packet
> header and, when FCS is disabled, subtracts 2 from this length without
> validating that len >= 2.
> 
> If an attacker sends a malicious packet with a length field of 0 or 1
> to an interface with FCS disabled, the subtraction causes an integer
> underflow.
> 
> This can lead to memory exhaustion and kernel instability, potential
> information disclosure if padding contains uninitialized kernel memory.
> 
> Fix this by validating that len >= 2 before performing the subtraction.
> 
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Reported-by: Junrui Luo <moonafterrain@outlook.com>
> Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
>  net/caif/cffrml.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
> index 6651a8dc62e0..d4d63586053a 100644
> --- a/net/caif/cffrml.c
> +++ b/net/caif/cffrml.c
> @@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
>  	len = le16_to_cpu(tmp);
>  
>  	/* Subtract for FCS on length if FCS is not used. */
> -	if (!this->dofcs)
> +	if (!this->dofcs) {
> +		if (len < 2) {
> +			++cffrml_rcv_error;
> +			pr_err("Invalid frame length (%d)\n", len);

Doesn't that let the same remote attacker flood the kernel message buffer?

	David

> +			cfpkt_destroy(pkt);
> +			return -EPROTO;
> +		}
>  		len -= 2;
> +	}
>  
>  	if (cfpkt_setlen(pkt, len) < 0) {
>  		++cffrml_rcv_error;
> 
> ---
> base-commit: 559e608c46553c107dbba19dae0854af7b219400
> change-id: 20251204-fixes-23393d72bfc8
> 
> Best regards,