Fix an issue detected by syzbot with KMSAN: BUG: KMSAN: uninit-value in ppp_sync_txmunge drivers/net/ppp/ppp_synctty.c:516 [inline] BUG: KMSAN: uninit-value in ppp_sync_send+0x21c/0xb00 drivers/net/ppp/ppp_synctty.c:568 Ensure sk_buff is valid and has at least 3 bytes before accessing its data field in ppp_sync_txmunge(). Without this check, the function may attempt to read uninitialized or invalid memory, leading to undefined behavior. To address this, add a validation check at the beginning of the function to safely handle cases where skb is NULL or too small. If either condition is met, free the skb and return NULL to prevent processing an invalid packet. Reported-by: syzbot+29fc8991b0ecb186cf40@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40 Tested-by: syzbot+29fc8991b0ecb186cf40@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Purva Yeshi <purvayeshi550@xxxxxxxxx> --- drivers/net/ppp/ppp_synctty.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c index 644e99fc3..e537ea3d9 100644 --- a/drivers/net/ppp/ppp_synctty.c +++ b/drivers/net/ppp/ppp_synctty.c @@ -506,6 +506,12 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb) unsigned char *data; int islcp; + /* Ensure skb is not NULL and has at least 3 bytes */ + if (!skb || skb->len < 3) { + kfree_skb(skb); + return NULL; + } + data = skb->data; proto = get_unaligned_be16(data); -- 2.34.1
