[PATCH net 0/2] net: hamradio: fix missing input validation in bpqether and scc

Next message: Mark Brown: "Re: linux-next: manual merge of the drm tree with the drm-misc-fixes tree"
Previous message: Biju Das: "RE: [PATCH v2 1/2] serial: sh-sci: Avoid divide-by-zero fault"
Next in thread: Mashiro Chen: "[PATCH net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mashiro Chen

Date: Wed Apr 08 2026 - 13:26:01 EST

Two fixes for missing input validation in the hamradio drivers:

- bpqether: bpq_rcv() computes frame length as data[0] + data[1]*256 - 5,
which can underflow when the length fields encode a value less than 5.
The resulting negative value is subsequently used as an unsigned length,
leading to out-of-bounds access.

- scc: the SIOCSCCSMEM ioctl accepts a bufsize of 0 without validation.
When a receive interrupt fires, dev_alloc_skb(0) allocates an skb with
an empty data area, and the subsequent skb_put_u8() calls write into
the adjacent skb_shared_info, corrupting heap memory.

Both fixes are minimal, adding only a bounds check before the dangerous
operation.

Mashiro Chen (2):
net: hamradio: bpqether: validate frame length in bpq_rcv()
net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl

drivers/net/hamradio/bpqether.c | 3 +++
drivers/net/hamradio/scc.c | 2 ++
2 files changed, 5 insertions(+)

--
2.53.0