| Message ID | 20230114182326.30479-1-szymon.heidrich@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | net: usb: sr9700: Handle negative len | expand |
Hello: This patch was applied to netdev/net.git (master) by Paolo Abeni <pabeni@redhat.com>: On Sat, 14 Jan 2023 19:23:26 +0100 you wrote: > Packet len computed as difference of length word extracted from > skb data and four may result in a negative value. In such case > processing of the buffer should be interrupted rather than > setting sr_skb->len to an unexpectedly large value (due to cast > from signed to unsigned integer) and passing sr_skb to > usbnet_skb_return. > > [...] Here is the summary with links: - net: usb: sr9700: Handle negative len https://git.kernel.org/netdev/net/c/ecf7cf8efb59 You are awesome, thank you!
diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c index 5a53e63d3..3164451e1 100644 --- a/drivers/net/usb/sr9700.c +++ b/drivers/net/usb/sr9700.c @@ -413,7 +413,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) /* ignore the CRC length */ len = (skb->data[1] | (skb->data[2] << 8)) - 4; - if (len > ETH_FRAME_LEN || len > skb->len) + if (len > ETH_FRAME_LEN || len > skb->len || len < 0) return 0; /* the last packet of current skb */
Packet len computed as difference of length word extracted from skb data and four may result in a negative value. In such case processing of the buffer should be interrupted rather than setting sr_skb->len to an unexpectedly large value (due to cast from signed to unsigned integer) and passing sr_skb to usbnet_skb_return. Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> --- drivers/net/usb/sr9700.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)