|
Oliver Neukum |
406100 |
From ff821092cf02a70c2bccd2d19269f01e29aa52cf Mon Sep 17 00:00:00 2001
|
|
Oliver Neukum |
406100 |
From: Szymon Heidrich <szymon.heidrich@gmail.com>
|
|
Oliver Neukum |
406100 |
Date: Thu, 16 Mar 2023 11:19:54 +0100
|
|
Oliver Neukum |
406100 |
Subject: [PATCH] net: usb: smsc95xx: Limit packet length to skb->len
|
|
Oliver Neukum |
406100 |
Git-commit: ff821092cf02a70c2bccd2d19269f01e29aa52cf
|
|
Oliver Neukum |
406100 |
References: git-fixes
|
|
Oliver Neukum |
406100 |
Patch-mainline: v6.3-rc4
|
|
Oliver Neukum |
406100 |
|
|
Oliver Neukum |
406100 |
Packet length retrieved from descriptor may be larger than
|
|
Oliver Neukum |
406100 |
the actual socket buffer length. In such case the cloned
|
|
Oliver Neukum |
406100 |
skb passed up the network stack will leak kernel memory contents.
|
|
Oliver Neukum |
406100 |
|
|
Oliver Neukum |
406100 |
Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
|
|
Oliver Neukum |
406100 |
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
|
|
Oliver Neukum |
406100 |
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
|
|
Oliver Neukum |
406100 |
Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com
|
|
Oliver Neukum |
406100 |
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
Oliver Neukum |
406100 |
Signed-off-by: Oliver Neukum <oneukum@suse.com>
|
|
Oliver Neukum |
406100 |
---
|
|
Oliver Neukum |
406100 |
drivers/net/usb/smsc95xx.c | 6 ++++++
|
|
Oliver Neukum |
406100 |
1 file changed, 6 insertions(+)
|
|
Oliver Neukum |
406100 |
|
|
Oliver Neukum |
406100 |
diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
|
|
Oliver Neukum |
406100 |
index 32d2c60d334d..563ecd27b93e 100644
|
|
Oliver Neukum |
406100 |
--- a/drivers/net/usb/smsc95xx.c
|
|
Oliver Neukum |
406100 |
+++ b/drivers/net/usb/smsc95xx.c
|
|
Oliver Neukum |
406100 |
@@ -1833,6 +1833,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
|
|
Oliver Neukum |
406100 |
size = (u16)((header & RX_STS_FL_) >> 16);
|
|
Oliver Neukum |
406100 |
align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
|
|
Oliver Neukum |
406100 |
|
|
Oliver Neukum |
406100 |
+ if (unlikely(size > skb->len)) {
|
|
Oliver Neukum |
406100 |
+ netif_dbg(dev, rx_err, dev->net,
|
|
Oliver Neukum |
406100 |
+ "size err header=0x%08x\n", header);
|
|
Oliver Neukum |
406100 |
+ return 0;
|
|
Oliver Neukum |
406100 |
+ }
|
|
Oliver Neukum |
406100 |
+
|
|
Oliver Neukum |
406100 |
if (unlikely(header & RX_STS_ES_)) {
|
|
Oliver Neukum |
406100 |
netif_dbg(dev, rx_err, dev->net,
|
|
Oliver Neukum |
406100 |
"Error header=0x%08x\n", header);
|
|
Oliver Neukum |
406100 |
--
|
|
Oliver Neukum |
406100 |
2.40.0
|
|
Oliver Neukum |
406100 |
|