CVE-2023-53369

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53369
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53369.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53369
Downstream
Related
Published
2025-09-18T13:33:17.384Z
Modified
2026-05-15T11:54:21.882606457Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
net: dcb: choose correct policy to parse DCB_ATTR_BCN
Details

In the Linux kernel, the following vulnerability has been resolved:

net: dcb: choose correct policy to parse DCBATTRBCN

The dcbnlbcnsetcfg uses erroneous policy to parse tb[DCBATTRBCN], which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB BCN"). Please see the comment in below code

static int dcbnlbcnsetcfg(...) { ... ret = nlaparsenesteddeprecated(..., dcbnlpfcupnest, .. ) // !!! dcbnlpfcupnest for attributes // DCBPFCUPATTR0 to DCBPFCUPATTRALL in enum dcbnlpfcupattrs ... for (i = DCBBCNATTRRP0; i <= DCBBCNATTRRP7; i++) { // !!! DCBBCNATTRRP0 to DCBBCNATTRRP7 in enum dcbnlbcnattrs ... valuebyte = nlagetu8(data[i]); ... } ... for (i = DCBBCNATTRBCNA0; i <= DCBBCNATTRRI; i++) { // !!! DCBBCNATTRBCNA0 to DCBBCNATTRRI in enum dcbnlbcnattrs ... valueint = nlagetu32(data[i]); ... } ... }

That is, the nlaparsenesteddeprecated uses dcbnlpfcupnest attributes to parse nlattr defined in dcbnlpfcupattrs. But the following access code fetch each nlattr as dcbnlbcnattrs attributes. By looking up the associated nlapolicy for dcbnlbcnattrs. We can find the beginning part of these two policies are "same".

static const struct nlapolicy dcbnlpfcupnest[...] = { [DCBPFCUPATTR0] = {.type = NLAU8}, [DCBPFCUPATTR1] = {.type = NLAU8}, [DCBPFCUPATTR2] = {.type = NLAU8}, [DCBPFCUPATTR3] = {.type = NLAU8}, [DCBPFCUPATTR4] = {.type = NLAU8}, [DCBPFCUPATTR5] = {.type = NLAU8}, [DCBPFCUPATTR6] = {.type = NLAU8}, [DCBPFCUPATTR7] = {.type = NLAU8}, [DCBPFCUPATTRALL] = {.type = NLA_FLAG}, };

static const struct nlapolicy dcbnlbcnnest[...] = { [DCBBCNATTRRP0] = {.type = NLAU8}, [DCBBCNATTRRP1] = {.type = NLAU8}, [DCBBCNATTRRP2] = {.type = NLAU8}, [DCBBCNATTRRP3] = {.type = NLAU8}, [DCBBCNATTRRP4] = {.type = NLAU8}, [DCBBCNATTRRP5] = {.type = NLAU8}, [DCBBCNATTRRP6] = {.type = NLAU8}, [DCBBCNATTRRP7] = {.type = NLAU8}, [DCBBCNATTRRPALL] = {.type = NLAFLAG}, // from here is somewhat different [DCBBCNATTRBCNA0] = {.type = NLAU32}, ... [DCBBCNATTRALL] = {.type = NLA_FLAG}, };

Therefore, the current code is buggy and this nlaparsenesteddeprecated could overflow the dcbnlpfcupnest and use the adjacent nlapolicy to parse attributes from DCBBCNATTRBCNA_0.

Hence use the correct policy dcbnlbcnnest to parse the nested tb[DCBATTRBCN] TLV.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53369.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.29
Fixed
5.4.253
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.190
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.126
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.45
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.4.10

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53369.json"