tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: usb: smsc95xx: Limit packet length to skb->len

Packet length retrieved from descriptor may be larger than
the actual socket buffer length. In such case the cloned
skb passed up the network stack will leak kernel memory contents.

Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Szymon Heidrich and committed by
Jakub Kicinski ff821092 30796d0d

+6
+6
drivers/net/usb/smsc95xx.c
··· 1833 1833 size = (u16)((header & RX_STS_FL_) >> 16); 1834 1834 align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4; 1835 1835 1836 + if (unlikely(size > skb->len)) { 1837 + netif_dbg(dev, rx_err, dev->net, 1838 + "size err header=0x%08x\n", header); 1839 + return 0; 1840 + } 1841 + 1836 1842 if (unlikely(header & RX_STS_ES_)) { 1837 1843 netif_dbg(dev, rx_err, dev->net, 1838 1844 "Error header=0x%08x\n", header);