superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/net/hamradio
History
Mashiro Chen 8263e484d6 net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl 
The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and
assigns its bufsize field directly to scc->stat.bufsize without any
range validation:

  scc->stat.bufsize = memcfg.bufsize;

If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive
interrupt handler later calls dev_alloc_skb(0) and immediately writes
a KISS type byte via skb_put_u8() into a zero-capacity socket buffer,
corrupting the adjacent skb_shared_info region.

Reject bufsize values smaller than 16; this is large enough to hold
at least one KISS header byte plus useful data.

Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Acked-by: Joerg Reuter <jreuter@yaina.de>
Link: https://patch.msgid.link/20260409024927.24397-3-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-04-12 13:19:03 -07:00
..
6pack.c net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf 2026-04-10 15:25:59 -07:00
Kconfig net: handle HAS_IOPORT dependencies 2024-04-08 11:56:56 +01:00
Makefile
baycom_epp.c hamradio: Remove unnecessary strscpy_pad() size arguments 2025-04-08 12:38:47 +02:00
baycom_par.c hamradio: baycom: replace strcpy() with strscpy() 2025-02-11 16:23:38 -08:00
baycom_ser_fdx.c hamradio: baycom: replace strcpy() with strscpy() 2025-02-11 16:23:38 -08:00
baycom_ser_hdx.c hamradio: baycom: replace strcpy() with strscpy() 2025-02-11 16:23:38 -08:00
bpqether.c net: hamradio: bpqether: validate frame length in bpq_rcv() 2026-04-12 13:19:03 -07:00
hdlcdrv.c net: remove unnecessary module_init/exit functions 2026-02-02 17:25:23 -08:00
mkiss.c
scc.c net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl 2026-04-12 13:19:03 -07:00
yam.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
z8530.h