From ff821092cf02a70c2bccd2d19269f01e29aa52cf Mon Sep 17 00:00:00 2001

From: Szymon Heidrich <szymon.heidrich@gmail.com>

Date: Thu, 16 Mar 2023 11:19:54 +0100

Subject: [PATCH] net: usb: smsc95xx: Limit packet length to skb->len

Git-commit: ff821092cf02a70c2bccd2d19269f01e29aa52cf

References: git-fixes

Patch-mainline: v6.3-rc4

Packet length retrieved from descriptor may be larger than

the actual socket buffer length. In such case the cloned

skb passed up the network stack will leak kernel memory contents.

Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")

Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>

Reviewed-by: Jakub Kicinski <kuba@kernel.org>

Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com

Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Oliver Neukum <oneukum@suse.com>

---

 drivers/net/usb/smsc95xx.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c

index 32d2c60d334d..563ecd27b93e 100644

--- a/drivers/net/usb/smsc95xx.c

+++ b/drivers/net/usb/smsc95xx.c

@@ -1833,6 +1833,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)

 		size = (u16)((header & RX_STS_FL_) >> 16);

 		align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;

+		if (unlikely(size > skb->len)) {

+			netif_dbg(dev, rx_err, dev->net,

+				  "size err header=0x%08x\n", header);

+			return 0;

+		}

+

 		if (unlikely(header & RX_STS_ES_)) {

 			netif_dbg(dev, rx_err, dev->net,

 				  "Error header=0x%08x\n", header);

-- 

2.40.0