Skip to content

Possible buffer overflow in ktcp's SLIP packet processing function #2635

Open
Open
Possible buffer overflow in ktcp's SLIP packet processing function#2635
Labels
bugDefect in the product
@JesusCrazy42

Description

@JesusCrazy42
JesusCrazy42
opened on Apr 4, 2026

Hello,

I was taking a look at how ktcp handles incoming SLIP packets when i found a possible buffer overflow on the code that handles SLIP escape sequences.

Inside of the function slip_process inside of the file "elkscmd/ktcp/slip.c" i found this code:

switch (sbuf[i]) {

	case ESC_END:
	packet[packpos++] = END;
	break;

	case ESC_ESC:
	packet[packpos++] = ESC;
	break;

	default:

	/* Protocol error ??! */
	packet[packpos++] = sbuf[i];
}

In the part of the function that handles normal incoming bytes, overflows appear to be checked for(on the master branch):

default:
/* drop characters over SLIP_MTU*/
if (packpos < sizeof(packet))
	packet[packpos++] = sbuf[i];

But on the "dev86" and "fat_tune" branches, the code neither checks for overflows on that part of the function:

default:
packet[packpos++] = sbuf[i];

On that branches the function has a FIXME that i think it talks about this buffer overrun, but on the master branch it doesn't have any FIXME

Although i haven't tested if it's possible to craft a malicious packet to exploit it, I think that the code could be exploited since the variable packpos doesn't seem to have code to prevent it from taking values outside of the buffer

Sorry about my English, i'm actually from Spain and my English is maybe not very good
And sorry if my issue report is not well made, i don't really use github that much

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugDefect in the product

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions