net: hamradio: bpqether: validate frame length in bpq_rcv()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The BPQ length field is decoded as:

len = skb->data[0] + skb->data[1] * 256 - 5;

If the sender sets bytes [0..1] to values whose combined value is
less than 5, len becomes negative. Passing a negative int to
skb_trim() silently converts to a huge unsigned value, causing the
function to be a no-op. The frame is then passed up to AX.25 with
its original (untrimmed) payload, delivering garbage beyond the
declared frame boundary.

Additionally, a negative len corrupts the 64-bit rx_bytes counter
through implicit sign-extension.

Add a bounds check before pulling the length bytes: reject frames
where len is negative or exceeds the remaining skb data.

Acked-by: Joerg Reuter <jreuter@yaina.de>
Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Link: https://patch.msgid.link/20260409024927.24397-2-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Mashiro Chen and committed by

Jakub Kicinski 4 days ago 6183bd87 2835750d

1 changed file

expand all

drivers

net

hamradio

bpqether.c

drivers/net/hamradio/bpqether.c

··· 187 187 188 188 len = skb->data[0] + skb->data[1] * 256 - 5; 189 189 190 + if (len < 0 || len > skb->len - 2) 191 + goto drop_unlock; 192 + 190 193 skb_pull(skb, 2); /* Remove the length bytes */ 191 194 skb_trim(skb, len); /* Set the length of the data */ 192 195