net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl

The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and
assigns its bufsize field directly to scc->stat.bufsize without any
range validation:

  scc->stat.bufsize = memcfg.bufsize;

If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive
interrupt handler later calls dev_alloc_skb(0) and immediately writes
a KISS type byte via skb_put_u8() into a zero-capacity socket buffer,
corrupting the adjacent skb_shared_info region.

Reject bufsize values smaller than 16; this is large enough to hold
at least one KISS header byte plus useful data.

Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Acked-by: Joerg Reuter <jreuter@yaina.de>
Link: https://patch.msgid.link/20260409024927.24397-3-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c
index ae5048efde686afd25eb0e4a9f8c26f603f05b79..8569db4a71401c743a457292f830928730d1133e 100644 (file)
--- a/drivers/net/hamradio/scc.c
+++ b/drivers/net/hamradio/scc.c
@@ -1909,6 +1909,8 @@ static int scc_net_siocdevprivate(struct net_device *dev,
                        if (!capable(CAP_SYS_RAWIO)) return -EPERM;
                        if (!arg || copy_from_user(&memcfg, arg, sizeof(memcfg)))
                                return -EINVAL;
+                       if (memcfg.bufsize < 16)
+                               return -EINVAL;
                        scc->stat.bufsize   = memcfg.bufsize;
                        return 0;