[PATCH v4] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()
From: Kangzheng Gu
Date: Mon Mar 30 2026 - 02:54:09 EST
cfctrl_link_setup() copies the RFM volume name from a received control
packet into linkparam.u.rfm.volume until a '\0' is found. A malformed
packet can omit the terminator and make the copy run past the 20-byte
stack buffer.
Stop copying once the buffer is full and mark the frame as failed by
setting CFCTRL_ERR_BIT so the link setup is rejected.
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Kangzheng Gu <xiaoguai0992@xxxxxxxxx>
---
v4:
- remove the Reported-by.
- print a warn message and reject link setup by setting CFCTRL_ERR_BIT.
- using %zu to adapt the compilation of 32-bit kernel.
net/caif/cfctrl.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index c6cc2bfed65d..373ab1dc67a7 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -416,8 +416,16 @@ static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp
cp = (u8 *) linkparam.u.rfm.volume;
for (tmp = cfpkt_extr_head_u8(pkt);
cfpkt_more(pkt) && tmp != '\0';
- tmp = cfpkt_extr_head_u8(pkt))
+ tmp = cfpkt_extr_head_u8(pkt)) {
+ if (cp >= (u8 *)linkparam.u.rfm.volume +
+ sizeof(linkparam.u.rfm.volume) - 1) {
+ pr_warn("Request reject, volume name length exceeds %zu\n",
+ sizeof(linkparam.u.rfm.volume));
+ cmdrsp |= CFCTRL_ERR_BIT;
+ break;
+ }
*cp++ = tmp;
+ }
*cp = '\0';
if (CFCTRL_ERR_BIT & cmdrsp)
--
2.50.1