[PATCH v2 net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net v2] mptcp: fix slab-use-after-free in __inet_lookup_established"
Previous message: Mashiro Chen: "[PATCH v2 net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv()"
In reply to: Mashiro Chen: "[PATCH v2 net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv()"
Next in thread: Joerg Reuter: "Re: [PATCH v2 net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mashiro Chen

Date: Wed Apr 08 2026 - 22:51:31 EST

The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and
assigns its bufsize field directly to scc->stat.bufsize without any
range validation:

scc->stat.bufsize = memcfg.bufsize;

If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive
interrupt handler later calls dev_alloc_skb(0) and immediately writes
a KISS type byte via skb_put_u8() into a zero-capacity socket buffer,
corrupting the adjacent skb_shared_info region.

Reject bufsize values smaller than 16; this is large enough to hold
at least one KISS header byte plus useful data.

Cc: stable@xxxxxxxxxxxxxxx
Cc: linux-hams@xxxxxxxxxxxxxxx
Signed-off-by: Mashiro Chen <mashiro.chen@xxxxxxxxxxx>
---
drivers/net/hamradio/scc.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c
index ae5048efde686a..8569db4a71401c 100644
--- a/drivers/net/hamradio/scc.c
+++ b/drivers/net/hamradio/scc.c
@@ -1909,6 +1909,8 @@ static int scc_net_siocdevprivate(struct net_device *dev,
if (!capable(CAP_SYS_RAWIO)) return -EPERM;
if (!arg || copy_from_user(&memcfg, arg, sizeof(memcfg)))
return -EINVAL;
+ if (memcfg.bufsize < 16)
+ return -EINVAL;
scc->stat.bufsize = memcfg.bufsize;
return 0;

--
2.53.0