git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Pavitra Jha <jhapavitra98@gmail.com>
	Fri, 1 May 2026 11:07:12 +0000 (07:07 -0400)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 6 May 2026 02:05:11 +0000 (19:05 -0700)
commit	0e7c074cfcd9bd93765505f9eb8b42f03ed2a744
tree	db6792d984d12515470957bca8d107ba5dc13e63	tree \| snapshot
parent	f83e07b29246f468bc7c99f98ca1897843fa8167	commit \| diff

net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler

t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.

Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.

Add a struct_size() check after extracting port_count and before the loop.

In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.

Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.

Fixes: da45d2566a1d ("net: wwan: t7xx: Add control port")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Link: https://patch.msgid.link/20260501110713.145563-1-jhapavitra98@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

drivers/net/wwan/t7xx/t7xx_modem_ops.c		diff \| blob \| blame \| history
drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c		diff \| blob \| blame \| history
drivers/net/wwan/t7xx/t7xx_port_proxy.h		diff \| blob \| blame \| history