Re: [PATCH] caif: fix integer underflow in cffrml_receive()
From: David Laight
Date: Thu Dec 11 2025 - 08:26:20 EST
On Thu, 04 Dec 2025 21:30:47 +0800
Junrui Luo <moonafterrain@xxxxxxxxxxx> wrote:
> The cffrml_receive() function extracts a length field from the packet
> header and, when FCS is disabled, subtracts 2 from this length without
> validating that len >= 2.
>
> If an attacker sends a malicious packet with a length field of 0 or 1
> to an interface with FCS disabled, the subtraction causes an integer
> underflow.
>
> This can lead to memory exhaustion and kernel instability, potential
> information disclosure if padding contains uninitialized kernel memory.
>
> Fix this by validating that len >= 2 before performing the subtraction.
>
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> net/caif/cffrml.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
> index 6651a8dc62e0..d4d63586053a 100644
> --- a/net/caif/cffrml.c
> +++ b/net/caif/cffrml.c
> @@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
> len = le16_to_cpu(tmp);
>
> /* Subtract for FCS on length if FCS is not used. */
> - if (!this->dofcs)
> + if (!this->dofcs) {
> + if (len < 2) {
> + ++cffrml_rcv_error;
> + pr_err("Invalid frame length (%d)\n", len);
Doesn't that let the same remote attacker flood the kernel message buffer?
David
> + cfpkt_destroy(pkt);
> + return -EPROTO;
> + }
> len -= 2;
> + }
>
> if (cfpkt_setlen(pkt, len) < 0) {
> ++cffrml_rcv_error;
>
> ---
> base-commit: 559e608c46553c107dbba19dae0854af7b219400
> change-id: 20251204-fixes-23393d72bfc8
>
> Best regards,