rose_process_rx_frame() calls rose_decode() which reads skb->data[2] without any prior length check. For CLEAR REQUEST frames the state machines then read skb->data[3] and skb->data[4] as the cause and diagnostic bytes. A crafted 3-byte ROSE CLEAR REQUEST frame passes the minimum length gate in rose_route_frame() and reaches rose_process_rx_frame(), where rose_decode() reads one byte past the header and the state machines read two bytes past the valid buffer. A remote peer can exploit this to leak kernel memory contents or trigger a kernel panic. Add a pskb_may_pull(skb, 3) check before rose_decode() to cover its skb->data[2] access, and a pskb_may_pull(skb, 5) check afterwards for the CLEAR REQUEST path to cover the cause and diagnostic reads. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Desai --- V2 -> V3: drop kfree_skb() calls to fix double-free; add end-user visible symptom to commit log; use [net] subject prefix V1 -> V2: switch skb->len check to pskb_may_pull; add pskb_may_pull(skb, 3) before rose_decode() to cover its skb->data[2] access v2: https://lore.kernel.org/netdev/177614667427.3606651.8700070406932922261@gmail.com/ v1: https://lore.kernel.org/netdev/20260409013246.2051746-1-ashutoshdesai993@gmail.com/ net/rose/rose_in.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/rose/rose_in.c b/net/rose/rose_in.c index 0276b393f0e5..8e60dc562b4a 100644 --- a/net/rose/rose_in.c +++ b/net/rose/rose_in.c @@ -269,8 +269,14 @@ int rose_process_rx_frame(struct sock *sk, struct sk_buff *skb) if (rose->state == ROSE_STATE_0) return 0; + if (!pskb_may_pull(skb, 3)) + return 0; + frametype = rose_decode(skb, &ns, &nr, &q, &d, &m); + if (frametype == ROSE_CLEAR_REQUEST && !pskb_may_pull(skb, 5)) + return 0; + switch (rose->state) { case ROSE_STATE_1: queued = rose_state1_machine(sk, skb, frametype); -- 2.34.1