[PATCH] net: atm: targetless need more input msg
From: Edward Adam Davis
Date: Fri Nov 28 2025 - 10:56:30 EST
syzbot found an uninitialized targetless variable. The user-provided
data was only 28 bytes long, but initializing targetless requires at
least 44 bytes. This discrepancy ultimately led to the uninitialized
variable access issue reported by syzbot [1].
Adding a message length check to the arp update process eliminates
the uninitialized issue in [1].
[1]
BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
lec_arp_update net/atm/lec.c:1845 [inline]
lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
Reported-by: syzbot+5dd615f890ddada54057@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
net/atm/lec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..178132b2771a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
break;
fallthrough;
case l_arp_update:
+ {
+ int need_size = offsetofend(struct atmlec_msg,
+ content.normal.targetless_le_arp);
+ if (skb->len < need_size) {
+ pr_info("Input msg size too small, need %d got %u\n",
+ need_size, skb->len);
+ dev_kfree_skb(skb);
+ return -EINVAL;
+ }
lec_arp_update(priv, mesg->content.normal.mac_addr,
mesg->content.normal.atm_addr,
mesg->content.normal.flag,
@@ -394,6 +403,7 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
tmp, mesg->sizeoftlvs);
}
break;
+ }
case l_config:
priv->maximum_unknown_frame_count =
mesg->content.config.maximum_unknown_frame_count;
--
2.43.0