Re: [PATCH v4] net: caif: fix stack out-of-bounds write in cfctrl_link_setup()

Next message: Lorenzo Stoakes (Oracle): "Re: [PATCH v3 08/13] selftests/mm: ensure destination is hugetlb-backed in hugepage-mremap"
Previous message: Hao Li: "Re: [PATCH v2] mm/slub: skip freelist construction for whole-slab bulk refill"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Thu Apr 02 2026 - 05:10:29 EST

On 3/30/26 8:53 AM, Kangzheng Gu wrote:
> diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
> index c6cc2bfed65d..373ab1dc67a7 100644
> --- a/net/caif/cfctrl.c
> +++ b/net/caif/cfctrl.c
> @@ -416,8 +416,16 @@ static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp
> cp = (u8 *) linkparam.u.rfm.volume;
> for (tmp = cfpkt_extr_head_u8(pkt);
> cfpkt_more(pkt) && tmp != '\0';
> - tmp = cfpkt_extr_head_u8(pkt))
> + tmp = cfpkt_extr_head_u8(pkt)) {
> + if (cp >= (u8 *)linkparam.u.rfm.volume +
> + sizeof(linkparam.u.rfm.volume) - 1) {
> + pr_warn("Request reject, volume name length exceeds %zu\n",
> + sizeof(linkparam.u.rfm.volume));

It looks like this printk is remotely triggerable from each incoming
(malformed) packet. It should be rate-limited.

Thanks,

Paolo