lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20250906012016.58856-1-disclosure@aisle.com>
Date: Sat,  6 Sep 2025 04:20:16 +0300
From: Stanislav Fort <stanislav.fort@...le.com>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	linux-hams@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	security@...nel.org,
	Stanislav Fort <disclosure@...le.com>,
	stable@...r.kernel.org
Subject: [PATCH net v4] netrom: linearize and validate lengths in nr_rx_frame()

Linearize skb and add targeted length checks in nr_rx_frame() to
prevent out-of-bounds reads and potential use-after-free (UAF) when
processing malformed NET/ROM frames.

- Require skb to be linear and at least NR_NETWORK_LEN +
  NR_TRANSPORT_LEN (20 bytes) before reading
  network/transport fields.
- For existing sockets path, ensure NR_CONNACK includes the window
  byte (>= 21 bytes).
- For CONNREQ handling, ensure window (byte 20) and user address
  (bytes 21-27) are present (>= 28 bytes).
- Preserve existing BPQ extension handling:
  - NR_CONNACK len == 22 -> 1 extra byte (TTL)
  - NR_CONNREQ len == 37 -> 2 extra bytes (timeout)

These validations block malformed frames from triggering bounds
violations via short skbs. Because NET/ROM frames may originate from
remote peers, the issue is externally triggerable and therefore
security-relevant.

Suggested-by: Eric Dumazet <edumazet@...gle.com>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@...r.kernel.org
Signed-off-by: Stanislav Fort <disclosure@...le.com>
---
Changes since v3:
- Wrap commit message at 74 columns
- Add Fixes tag and Cc: stable
- Drop Reported-by
- Add Reviewed-by from Eric Dumazet
---
 net/netrom/af_netrom.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 3331669d8e33..f0660dd6d3b0 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -885,6 +885,11 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 	/*
 	 *		skb->data points to the netrom frame start
 	 */

 +	if (skb_linearize(skb))
 +		return 0;
 +	if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN)
 +		return 0;
 +
 	src 	= (ax25_address *)(skb->data + 0);
 	dest = (ax25_address *)(skb->data + 7);

@@ -927,6 +932,11 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 	}

 	if (sk != NULL) {
 +		if (frametype == NR_CONNACK &&
 +		    skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN + 1) {
 +			sock_put(sk);
 +			return 0;
 +		}
 		bh_lock_sock(sk);
 		skb_reset_transport_header(skb);

@@ -961,10 +971,14 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 		return 0;
 	}

-	sk = nr_find_listener(dest);
 +	/* Need window (byte 20) and user address (bytes 21-27) */
 +	if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN + 1 + AX25_ADDR_LEN)
 +		return 0;

 	user = (ax25_address *)(skb->data + 21);

 +	sk = nr_find_listener(dest);
 +
 	if (sk == NULL || sk_acceptq_is_full(sk) ||
 	    (make = nr_make_new(sk)) == NULL) {
 		nr_transmit_refusal(skb, 0);
-- 
2.39.3 (Apple Git-146)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ