[PATCH 3/3] net: rose: fix out-of-bounds read in rose_parse_ccitt()

Next message: Edgecombe, Rick P: "Re: [PATCH 07/17] KVM: x86/tdp_mmu: Centralize updates to present external PTEs"
Previous message: Mashiro Chen: "[PATCH 2/3] net: netrom: validate source address in nr_find_socket()"
In reply to: Mashiro Chen: "[PATCH 2/3] net: netrom: validate source address in nr_find_socket()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mashiro Chen

Date: Tue Apr 07 2026 - 13:19:56 EST

rose_parse_ccitt() handles 0xC0-class facilities by reading l = p[1]
and validating 10 <= l <= 20, but never checks whether the remaining
buffer actually contains l + 2 bytes before accessing p + 7 and
p + 12 via memcpy().

An attacker can send a ROSE_CALL_REQUEST frame with a crafted CCITT
facility whose declared length fits the 10-20 range but whose actual
data is truncated. This causes the kernel to read up to l + 2 bytes
beyond the end of the facilities field, leaking adjacent skb data.

By contrast, rose_parse_national() already performs the equivalent
check (if (len < 2 + l) return -1) for all its 0xC0-class cases.

Add the same check to rose_parse_ccitt() before any data access.

Fixes: e0bccd315db0 ("rose: Add length checks to CALL_REQUEST parsing")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Mashiro Chen <mashiro.chen@xxxxxxxxxxx>
---
net/rose/rose_subr.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
index 4dbc437a9e229..a902ddeddc5bd 100644
--- a/net/rose/rose_subr.c
+++ b/net/rose/rose_subr.c
@@ -370,6 +370,9 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
if (l < 10 || l > 20)
return -1;

+ if (len < 2 + l)
+ return -1;
+
if (*p == FAC_CCITT_DEST_NSAP) {
memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
memcpy(callsign, p + 12, l - 10);
--
2.53.0