| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231121134315.18721-1-oneukum@suse.com>
Date: Tue, 21 Nov 2023 14:43:15 +0100
From: Oliver Neukum <oneukum@...e.com>
To: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
linux-usb@...r.kernel.org,
netdev@...r.kernel.org
Cc: Oliver Neukum <oneukum@...e.com>
Subject: [PATCH] USB: gl620a: check for rx buffer overflow
The driver checks for a single package overflowing
maximum size. That needs to be done, but it is not
enough. As a single transmission can contain a high
number of packets, we also need to check whether
the aggregate of messages in itself short enough
overflow the buffer.
That is easiest done by checking that the current
packet does not overflow the buffer.
Signed-off-ny: Oliver Neukum <oneukum@...e.com>
---
drivers/net/usb/gl620a.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
index 46af78caf457..d33ae15abdc1 100644
--- a/drivers/net/usb/gl620a.c
+++ b/drivers/net/usb/gl620a.c
@@ -104,6 +104,10 @@ static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
return 0;
}
+ /* we also need to check for overflowing the buffer */
+ if (size > skb->len)
+ return 0;
+
// allocate the skb for the individual packet
gl_skb = alloc_skb(size, GFP_ATOMIC);
if (gl_skb) {
--
2.42.1
Powered by blists - more mailing lists