git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Junrui Luo <moonafterrain@outlook.com>
	Thu, 4 Dec 2025 13:30:47 +0000 (21:30 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 11 Dec 2025 09:35:41 +0000 (01:35 -0800)
commit	8a11ff0948b5ad09b71896b7ccc850625f9878d1
tree	3a555c6c3f37e2dc6c5d1399adf0f738ed8040b3	tree \| snapshot
parent	71cfa7c893a05d09e7dc14713b27a8309fd4a2db	commit \| diff

caif: fix integer underflow in cffrml_receive()

The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.

If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.

This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.

Fix this by validating that len >= 2 before performing the subtraction.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>