net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl - wireguard-linux

diff options

author	Mashiro Chen <mashiro.chen@mailbox.org>	2026-04-09 10:49:27 +0800
committer	Jakub Kicinski <kuba@kernel.org>	2026-04-12 13:19:03 -0700
commit	8263e484d6622464ec72a5ad563f62492d84fa54 (patch)
tree	516c90cac711f2886e539a8005a35587ec2b2ed7 /include/rdma/ssh:/git@git.zx2c4.com
parent	net: hamradio: bpqether: validate frame length in bpq_rcv() (diff)

net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl

The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and assigns its bufsize field directly to scc->stat.bufsize without any range validation: scc->stat.bufsize = memcfg.bufsize; If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive interrupt handler later calls dev_alloc_skb(0) and immediately writes a KISS type byte via skb_put_u8() into a zero-capacity socket buffer, corrupting the adjacent skb_shared_info region. Reject bufsize values smaller than 16; this is large enough to hold at least one KISS header byte plus useful data. Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org> Acked-by: Joerg Reuter <jreuter@yaina.de> Link: https://patch.msgid.link/20260409024927.24397-3-mashiro.chen@mailbox.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'include/rdma/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: