| Message ID | 20230313220045.52394-1-szymon.heidrich@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | net: usb: smsc75xx: Limit packet length to skb->len | expand |
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Mon, 13 Mar 2023 23:00:45 +0100 you wrote: > Packet length retrieved from skb data may be larger than > the actual socket buffer length (up to 9026 bytes). In such > case the cloned skb passed up the network stack will leak > kernel memory contents. > > Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") > Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> > > [...] Here is the summary with links: - net: usb: smsc75xx: Limit packet length to skb->len https://git.kernel.org/netdev/net/c/d8b228318935 You are awesome, thank you!
diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c index 95de452ff..db34f8d1d 100644 --- a/drivers/net/usb/smsc75xx.c +++ b/drivers/net/usb/smsc75xx.c @@ -2212,7 +2212,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) dev->net->stats.rx_frame_errors++; } else { /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ - if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || + size > skb->len)) { netif_dbg(dev, rx_err, dev->net, "size err rx_cmd_a=0x%08x\n", rx_cmd_a);
Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> --- drivers/net/usb/smsc75xx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)