{"id":"CVE-2023-53369","summary":"net: dcb: choose correct policy to parse DCB_ATTR_BCN","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dcb: choose correct policy to parse DCB_ATTR_BCN\n\nThe dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],\nwhich is introduced in commit 859ee3c43812 (\"DCB: Add support for DCB\nBCN\"). Please see the comment in below code\n\nstatic int dcbnl_bcn_setcfg(...)\n{\n  ...\n  ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )\n  // !!! dcbnl_pfc_up_nest for attributes\n  //  DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs\n  ...\n  for (i = DCB_BCN_ATTR_RP_0; i \u003c= DCB_BCN_ATTR_RP_7; i++) {\n  // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs\n    ...\n    value_byte = nla_get_u8(data[i]);\n    ...\n  }\n  ...\n  for (i = DCB_BCN_ATTR_BCNA_0; i \u003c= DCB_BCN_ATTR_RI; i++) {\n  // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs\n  ...\n    value_int = nla_get_u32(data[i]);\n  ...\n  }\n  ...\n}\n\nThat is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest\nattributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the\nfollowing access code fetch each nlattr as dcbnl_bcn_attrs attributes.\nBy looking up the associated nla_policy for dcbnl_bcn_attrs. We can find\nthe beginning part of these two policies are \"same\".\n\nstatic const struct nla_policy dcbnl_pfc_up_nest[...] = {\n        [DCB_PFC_UP_ATTR_0]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_1]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_2]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_3]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_4]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_5]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_6]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_7]   = {.type = NLA_U8},\n        [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},\n};\n\nstatic const struct nla_policy dcbnl_bcn_nest[...] = {\n        [DCB_BCN_ATTR_RP_0]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_1]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_2]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_3]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_4]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_5]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_6]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_7]         = {.type = NLA_U8},\n        [DCB_BCN_ATTR_RP_ALL]       = {.type = NLA_FLAG},\n        // from here is somewhat different\n        [DCB_BCN_ATTR_BCNA_0]       = {.type = NLA_U32},\n        ...\n        [DCB_BCN_ATTR_ALL]          = {.type = NLA_FLAG},\n};\n\nTherefore, the current code is buggy and this\nnla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use\nthe adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.\n\nHence use the correct policy dcbnl_bcn_nest to parse the nested\ntb[DCB_ATTR_BCN] TLV.","modified":"2026-04-11T12:46:45.566052Z","published":"2025-09-18T13:33:17.384Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4515-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53369.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/199fde04bd875d28b3a5ca525eaaa004eec6e947"},{"type":"WEB","url":"https://git.kernel.org/stable/c/31d49ba033095f6e8158c60f69714a500922e0c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8e309f43d0ca4051d20736c06a6f84bbddd881da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a0da2684db18dead3bcee12fb185e596e3d63c2b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ecff20e193207b44fdbfe64d7de89890f0a7fe6c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53369.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53369"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"859ee3c43812051e21816c6d6d4cc04fb7ce9b2e"},{"fixed":"5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9"},{"fixed":"8e309f43d0ca4051d20736c06a6f84bbddd881da"},{"fixed":"a0da2684db18dead3bcee12fb185e596e3d63c2b"},{"fixed":"ecff20e193207b44fdbfe64d7de89890f0a7fe6c"},{"fixed":"199fde04bd875d28b3a5ca525eaaa004eec6e947"},{"fixed":"31d49ba033095f6e8158c60f69714a500922e0c3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53369.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.29"},{"fixed":"5.4.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.190"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.126"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.45"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53369.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}