sl_bump() reserves only 80 bytes of expansion headroom before calling slhc_uncompress(), but the reconstructed IP + TCP header is up to ip->ihl*4 + thp->doff*4 bytes. IHL and TCP doff are 4-bit fields and both can legitimately reach 15, so the header can grow to 2*15*4 = 120 bytes. A VJ-uncompressed primer with ihl=15, doff=15 followed by a compressed frame of size buffsize - 80 therefore writes up to 33 bytes past the kmalloc(buffsize + 4) rbuff allocation, with attacker-controlled content: BUG: KASAN: slab-out-of-bounds in slhc_uncompress Write of size 1069 at addr ffff88800ba93078 by task kworker/u8:1/32 Workqueue: events_unbound flush_to_ldisc Call Trace: __asan_memmove+0x3f/0x70 slhc_uncompress (drivers/net/slip/slhc.c:614) slip_receive_buf (drivers/net/slip/slip.c:342) tty_ldisc_receive_buf flush_to_ldisc Raise the reservation to match the real worst case. The ppp_generic receive path already enforces skb_tailroom >= 124 and is unaffected. Fixes: b5451d783ade ("slip: Move the SLIP drivers") Reported-by: Simon Horman Signed-off-by: Weiming Shi --- drivers/net/slip/slip.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c index 820e1a8fc9560..37af7cbe7f81d 100644 --- a/drivers/net/slip/slip.c +++ b/drivers/net/slip/slip.c @@ -333,9 +333,13 @@ static void sl_bump(struct slip *sl) printk(KERN_WARNING "%s: compressed packet ignored\n", dev->name); return; } - /* make sure we've reserved enough space for uncompress - to use */ - if (count + 80 > sl->buffsize) { + /* slhc_uncompress() prepends up to + * ip->ihl * 4 + thp->doff * 4 bytes of reconstructed + * IPv4 + TCP header. IHL and doff are 4-bit fields + * (max 15) counting 4-byte units, so the header is + * at most 2 * 15 * 4 = 120 bytes. + */ + if (count + 2 * 15 * 4 > sl->buffsize) { dev->stats.rx_over_errors++; return; } -- 2.43.0