| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220215110243.30468-1-oneukum@suse.com>
Date: Tue, 15 Feb 2022 12:02:43 +0100
From: Oliver Neukum <oneukum@...e.com>
To: dmitry.bezrukov@...antia.com, igor.russkikh@...antia.com,
meissner@...e.com, netdev@...r.kernel.org,
linux-usb@...r.kernel.org
Cc: Oliver Neukum <oneukum@...e.com>
Subject: [RFC] aqc111: check for valid header length before parsing
The received package must be checked for being long
enough to contain the header to be parsed, or garbage
may be parsed during fixup.
Signed-off-by: Oliver Neukum <oneukum@...e.com>
---
drivers/net/usb/aqc111.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
index ea06d10e1c21..7848fe941a36 100644
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -1084,10 +1084,10 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
if (!skb)
goto err;
- if (skb->len == 0)
+ skb_len = skb->len;
+ if (skb_len < sizeof(desc_hdr))
goto err;
- skb_len = skb->len;
/* RX Descriptor Header */
skb_trim(skb, skb->len - sizeof(desc_hdr));
desc_hdr = le64_to_cpup((u64 *)skb_tail_pointer(skb));
--
2.34.1
Powered by blists - more mailing lists