[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230313220045.52394-1-szymon.heidrich@gmail.com>
Date: Mon, 13 Mar 2023 23:00:45 +0100
From: Szymon Heidrich <szymon.heidrich@...il.com>
To: steve.glendinning@...well.net, davem@...emloft.net,
edumazet@...gle.com
Cc: kuba@...nel.org, pabeni@...hat.com, szymon.heidrich@...il.com,
linux-usb@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] net: usb: smsc75xx: Limit packet length to skb->len
Packet length retrieved from skb data may be larger than
the actual socket buffer length (up to 9026 bytes). In such
case the cloned skb passed up the network stack will leak
kernel memory contents.
Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
Signed-off-by: Szymon Heidrich <szymon.heidrich@...il.com>
---
drivers/net/usb/smsc75xx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
index 95de452ff..db34f8d1d 100644
--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -2212,7 +2212,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
dev->net->stats.rx_frame_errors++;
} else {
/* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
+ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
+ size > skb->len)) {
netif_dbg(dev, rx_err, dev->net,
"size err rx_cmd_a=0x%08x\n",
rx_cmd_a);
--
2.39.2
Powered by blists - more mailing lists