diff mbox series

sr9700: improve packet length sanity check

Message ID 20220714132134.426621-1-cascardo@canonical.com
State New
Headers show
Series sr9700: improve packet length sanity check | expand

Commit Message

Thadeu Lima de Souza Cascardo July 14, 2022, 1:21 p.m. UTC 
The packet format includes a 3 byte headers and a 4 byte CRC. Account for
that when checking the given length is not larger than the skb length.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length")
---
 drivers/net/usb/sr9700.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jakub Kicinski July 19, 2022, 3:07 a.m. UTC | #1 
On Thu, 14 Jul 2022 10:21:34 -0300 Thadeu Lima de Souza Cascardo wrote:
> The packet format includes a 3 byte headers and a 4 byte CRC. Account for
> that when checking the given length is not larger than the skb length.

Please describe in detail the issue you're fixing. What will happen if
we don't include SR_RX_OVERHEAD in the check.

> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length")
diff mbox series

Patch

diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
index 5a53e63d33a6..09bb40ac6e09 100644
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -413,7 +413,7 @@  static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		/* ignore the CRC length */
 		len = (skb->data[1] | (skb->data[2] << 8)) - 4;
 
-		if (len > ETH_FRAME_LEN || len > skb->len)
+		if (len > ETH_FRAME_LEN || len + SR_RX_OVERHEAD > skb->len)
 			return 0;
 
 		/* the last packet of current skb */