[PATCH 5.10.y] media: dvb-net: fix OOB access in ULE extension header tables

Next message: Frank Li: "Re: [PATCH v2 08/13] i3c: dw-i3c-master: Add SETAASA as supported CCC"
Previous message: Frank Li: "Re: [PATCH v2 09/13] i3c: dw-i3c-master: Add a quirk to skip clock and reset"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jianqiang kang

Date: Thu Apr 09 2026 - 22:45:32 EST

From: Ariel Silver <arielsilver77@xxxxxxxxx>

[ Upstream commit 24d87712727a5017ad142d63940589a36cd25647 ]

The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.

Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Ariel Silver <arielsilver77@xxxxxxxxx>
Signed-off-by: Ariel Silver <arielsilver77@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Jianqiang kang <jianqkang@xxxxxxx>
---
drivers/media/dvb-core/dvb_net.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c
index c594b1bdfcaa..c8cbe901bcf0 100644
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -228,6 +228,9 @@ static int handle_one_ule_extension( struct dvb_net_priv *p )
unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8;
unsigned char htype = p->ule_sndu_type & 0x00FF;

+ if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers))
+ return -1;
+
/* Discriminate mandatory and optional extension headers. */
if (hlen == 0) {
/* Mandatory extension header */
--
2.34.1