usb: aqc111: check packet for fixup for true limit

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If a device sends a packet that is inbetween 0
and sizeof(u64) the value passed to skb_trim()
as length will wrap around ending up as some very
large value.

The driver will then proceed to parse the header
located at that position, which will either oops or
process some random value.

The fix is to check against sizeof(u64) rather than
0, which the driver currently does. The issue exists
since the introduction of the driver.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Oliver Neukum and committed by

David S. Miller 2 years ago ccab434e 7475e51b

+4 -4

1 changed file

expand all

drivers

net

usb

aqc111.c

+4 -4

drivers/net/usb/aqc111.c

··· 1079 1079 u16 pkt_count = 0; 1080 1080 u64 desc_hdr = 0; 1081 1081 u16 vlan_tag = 0; 1082 - u32 skb_len = 0; 1082 + u32 skb_len; 1083 1083 1084 1084 if (!skb) 1085 1085 goto err; 1086 1086 1087 - if (skb->len == 0) 1087 + skb_len = skb->len; 1088 + if (skb_len < sizeof(desc_hdr)) 1088 1089 goto err; 1089 1090 1090 - skb_len = skb->len; 1091 1091 /* RX Descriptor Header */ 1092 - skb_trim(skb, skb->len - sizeof(desc_hdr)); 1092 + skb_trim(skb, skb_len - sizeof(desc_hdr)); 1093 1093 desc_hdr = le64_to_cpup((u64 *)skb_tail_pointer(skb)); 1094 1094 1095 1095 /* Check these packets */