[PATCH 0/3] net: fix three security bugs in NET/ROM and ROSE stacks

[Mashiro Chen]

This series fixes three bugs in the Linux kernel AX.25 protocol stack,
submitted on top of Greg Kroah-Hartman's frame-size validation series
(https://lore.kernel.org/r/2026040730-untagged-groin-bbb7@gregkh).

Patch 1 fixes an integer overflow in nr_queue_rx_frame(): nr_sock.fraglen
is declared as unsigned short and accumulates received fragment lengths
without overflow protection.  When total received data exceeds 65535 bytes,
fraglen wraps to a small value, causing alloc_skb() to allocate a tiny
buffer followed by a full-length copy -- a heap out-of-bounds write.

Patch 2 fixes nr_find_socket() dispatching incoming NR_INFO frames by
matching only the circuit index/id bytes without validating the source
callsign against the socket's dest_addr.  Any node can inject frames into
an existing STATE_3 connection by guessing the circuit ID (the value space
is only 65025 non-zero pairs and IDs are assigned sequentially).  Combined
with the fraglen overflow in patch 1, this gives an unauthenticated
attacker a complete heap corruption primitive.

Patch 3 fixes an out-of-bounds read in rose_parse_ccitt(): the function
validates 10 <= l <= 20 but never checks that the remaining buffer is at
least l+2 bytes before calling memcpy().  rose_parse_national() already
performs the equivalent check; this patch adds the same guard.

Mashiro Chen (3):
  net: netrom: fix integer overflow in nr_queue_rx_frame()
  net: netrom: validate source address in nr_find_socket()
  net: rose: fix out-of-bounds read in rose_parse_ccitt()

 net/netrom/af_netrom.c | 11 +++++++----
 net/netrom/nr_in.c     | 10 ++++++++++
 net/rose/rose_subr.c   |  3 +++
 3 files changed, 20 insertions(+), 4 deletions(-)

-- 
2.53.0