[PATCH net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv()

Next message: Mashiro Chen: "[PATCH net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl"
Previous message: Mark Brown: "Re: linux-next: manual merge of the drm tree with the drm-misc-fixes tree"
In reply to: Mashiro Chen: "[PATCH net 0/2] net: hamradio: fix missing input validation in bpqether and scc"
Next in thread: Joerg Reuter: "Re: [PATCH net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mashiro Chen

Date: Wed Apr 08 2026 - 13:26:53 EST

The BPQ length field is decoded as:

len = skb->data[0] + skb->data[1] * 256 - 5;

If the sender sets bytes [0..1] to values whose combined value is
less than 5, len becomes negative. Passing a negative int to
skb_trim() silently converts to a huge unsigned value, causing the
function to be a no-op. The frame is then passed up to AX.25 with
its original (untrimmed) payload, delivering garbage beyond the
declared frame boundary.

Additionally, a negative len corrupts the 64-bit rx_bytes counter
through implicit sign-extension.

Add a bounds check before pulling the length bytes: reject frames
where len is negative or exceeds the remaining skb data.

Cc: stable@xxxxxxxxxxxxxxx
Cc: linux-hams@xxxxxxxxxxxxxxx
Signed-off-by: Mashiro Chen <mashiro.chen@xxxxxxxxxxx>
---
drivers/net/hamradio/bpqether.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c
index 045c5177262eaf..214fd1f819a1bb 100644
--- a/drivers/net/hamradio/bpqether.c
+++ b/drivers/net/hamradio/bpqether.c
@@ -187,6 +187,9 @@ static int bpq_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_ty

len = skb->data[0] + skb->data[1] * 256 - 5;

+ if (len < 0 || len > skb->len - 2)
+ goto drop_unlock;
+
skb_pull(skb, 2); /* Remove the length bytes */
skb_trim(skb, len); /* Set the length of the data */

--
2.53.0