summaryrefslogtreecommitdiff
path: root/drivers/ide/ppc/git@git.tavy.me:linux.git
diff options
context:
space:
mode:
authorMashiro Chen <mashiro.chen@mailbox.org>2026-04-09 10:49:27 +0800
committerJakub Kicinski <kuba@kernel.org>2026-04-12 13:19:03 -0700
commit8263e484d6622464ec72a5ad563f62492d84fa54 (patch)
tree516c90cac711f2886e539a8005a35587ec2b2ed7 /drivers/ide/ppc/git@git.tavy.me:linux.git
parent6183bd8723a3eecd2d89cbc506fe938bc6288345 (diff)
net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl
The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and assigns its bufsize field directly to scc->stat.bufsize without any range validation: scc->stat.bufsize = memcfg.bufsize; If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive interrupt handler later calls dev_alloc_skb(0) and immediately writes a KISS type byte via skb_put_u8() into a zero-capacity socket buffer, corrupting the adjacent skb_shared_info region. Reject bufsize values smaller than 16; this is large enough to hold at least one KISS header byte plus useful data. Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org> Acked-by: Joerg Reuter <jreuter@yaina.de> Link: https://patch.msgid.link/20260409024927.24397-3-mashiro.chen@mailbox.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'drivers/ide/ppc/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-19 04:39:13 +0000