usbnet: ipheth: fix DPE OoB read · tjh.dev/kernel@ee591f2

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

usbnet: ipheth: fix DPE OoB read

Fix an out-of-bounds DPE read, limit the number of processed DPEs to
the amount that fits into the fixed-size NDP16 header.

Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
Cc: stable@vger.kernel.org
Signed-off-by: Foster Snowhill <forst@pen.gy>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Foster Snowhill and committed by

Paolo Abeni 1 year ago ee591f2b efcbc678

+1 -3

1 changed file

expand all

drivers

net

usb

ipheth.c

+1 -3

drivers/net/usb/ipheth.c

··· 246 246 goto rx_error; 247 247 248 248 dpe = ncm0->dpe16; 249 - while (true) { 249 + for (int dpe_i = 0; dpe_i < IPHETH_NDP16_MAX_DPE; ++dpe_i, ++dpe) { 250 250 dg_idx = le16_to_cpu(dpe->wDatagramIndex); 251 251 dg_len = le16_to_cpu(dpe->wDatagramLength); 252 252 ··· 268 268 retval = ipheth_consume_skb(buf, dg_len, dev); 269 269 if (retval != 0) 270 270 return retval; 271 - 272 - dpe++; 273 271 } 274 272 275 273 rx_error: