git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Junrui Luo <moonafterrain@outlook.com>
	Thu, 4 Dec 2025 13:30:47 +0000 (21:30 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 19 Jan 2026 12:09:44 +0000 (13:09 +0100)
commit	c54091eec6fed19e94182aa05dd6846600a642f7
tree	0c4ac8816ec1872639a05f6d8d1c98864717c2b1	tree \| snapshot
parent	312d7cd88882fc6cadcc08b02287497aaaf94bcd	commit \| diff

caif: fix integer underflow in cffrml_receive()

[ Upstream commit 8a11ff0948b5ad09b71896b7ccc850625f9878d1 ]

The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.

If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.

This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.

Fix this by validating that len >= 2 before performing the subtraction.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>