net: usb: smsc95xx: Limit packet length to skb->len
[ Upstream commitff821092cf] Packet length retrieved from descriptor may be larger than the actual socket buffer length. In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes:2f7ca802bd("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Reviewed-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Szymon Heidrich
Greg Kroah-Hartman
parent
c09cdf6eb8
commit
33d1603a38
1 changed files with 6 additions and 0 deletions
|
|
@ -1824,6 +1824,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
|
|||
size = (u16)((header & RX_STS_FL_) >> 16);
|
||||
align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
|
||||
|
||||
if (unlikely(size > skb->len)) {
|
||||
netif_dbg(dev, rx_err, dev->net,
|
||||
"size err header=0x%08x\n", header);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (unlikely(header & RX_STS_ES_)) {
|
||||
netif_dbg(dev, rx_err, dev->net,
|
||||
"Error header=0x%08x\n", header);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue