CVE-2023-53369

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53369
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53369.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53369
Downstream
Related
Published
2025-09-18T13:33:17.384Z
Modified
2026-03-20T12:33:07.101117Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
net: dcb: choose correct policy to parse DCB_ATTR_BCN
Details

In the Linux kernel, the following vulnerability has been resolved:

net: dcb: choose correct policy to parse DCBATTRBCN

The dcbnlbcnsetcfg uses erroneous policy to parse tb[DCBATTRBCN], which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB BCN"). Please see the comment in below code

static int dcbnlbcnsetcfg(...) { ... ret = nlaparsenesteddeprecated(..., dcbnlpfcupnest, .. ) // !!! dcbnlpfcupnest for attributes // DCBPFCUPATTR0 to DCBPFCUPATTRALL in enum dcbnlpfcupattrs ... for (i = DCBBCNATTRRP0; i <= DCBBCNATTRRP7; i++) { // !!! DCBBCNATTRRP0 to DCBBCNATTRRP7 in enum dcbnlbcnattrs ... valuebyte = nlagetu8(data[i]); ... } ... for (i = DCBBCNATTRBCNA0; i <= DCBBCNATTRRI; i++) { // !!! DCBBCNATTRBCNA0 to DCBBCNATTRRI in enum dcbnlbcnattrs ... valueint = nlagetu32(data[i]); ... } ... }

That is, the nlaparsenesteddeprecated uses dcbnlpfcupnest attributes to parse nlattr defined in dcbnlpfcupattrs. But the following access code fetch each nlattr as dcbnlbcnattrs attributes. By looking up the associated nlapolicy for dcbnlbcnattrs. We can find the beginning part of these two policies are "same".

static const struct nlapolicy dcbnlpfcupnest[...] = { [DCBPFCUPATTR0] = {.type = NLAU8}, [DCBPFCUPATTR1] = {.type = NLAU8}, [DCBPFCUPATTR2] = {.type = NLAU8}, [DCBPFCUPATTR3] = {.type = NLAU8}, [DCBPFCUPATTR4] = {.type = NLAU8}, [DCBPFCUPATTR5] = {.type = NLAU8}, [DCBPFCUPATTR6] = {.type = NLAU8}, [DCBPFCUPATTR7] = {.type = NLAU8}, [DCBPFCUPATTRALL] = {.type = NLA_FLAG}, };

static const struct nlapolicy dcbnlbcnnest[...] = { [DCBBCNATTRRP0] = {.type = NLAU8}, [DCBBCNATTRRP1] = {.type = NLAU8}, [DCBBCNATTRRP2] = {.type = NLAU8}, [DCBBCNATTRRP3] = {.type = NLAU8}, [DCBBCNATTRRP4] = {.type = NLAU8}, [DCBBCNATTRRP5] = {.type = NLAU8}, [DCBBCNATTRRP6] = {.type = NLAU8}, [DCBBCNATTRRP7] = {.type = NLAU8}, [DCBBCNATTRRPALL] = {.type = NLAFLAG}, // from here is somewhat different [DCBBCNATTRBCNA0] = {.type = NLAU32}, ... [DCBBCNATTRALL] = {.type = NLA_FLAG}, };

Therefore, the current code is buggy and this nlaparsenesteddeprecated could overflow the dcbnlpfcupnest and use the adjacent nlapolicy to parse attributes from DCBBCNATTRBCNA_0.

Hence use the correct policy dcbnlbcnnest to parse the nested tb[DCBATTRBCN] TLV.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53369.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
859ee3c43812051e21816c6d6d4cc04fb7ce9b2e
Fixed
5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9
Fixed
8e309f43d0ca4051d20736c06a6f84bbddd881da
Fixed
a0da2684db18dead3bcee12fb185e596e3d63c2b
Fixed
ecff20e193207b44fdbfe64d7de89890f0a7fe6c
Fixed
199fde04bd875d28b3a5ca525eaaa004eec6e947
Fixed
31d49ba033095f6e8158c60f69714a500922e0c3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53369.json"