[PATCH 5.15 030/146] net: usb: smsc95xx: Limit packet length to skb->len

28 Mar 2023

From: Szymon Heidrich szymon.heidrich@gmail.com
[ Upstream commit ff821092cf02a70c2bccd2d19269f01e29aa52cf ]
Packet length retrieved from descriptor may be larger than
the actual socket buffer length. In such case the cloned
skb passed up the network stack will leak kernel memory contents.
Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
Signed-off-by: Szymon Heidrich szymon.heidrich@gmail.com
Reviewed-by: Jakub Kicinski kuba@kernel.org
Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
---
 drivers/net/usb/smsc95xx.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index 7cf9206638c37..649d9f9af6e67 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -1808,6 +1808,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
    	size = (u16)((header & RX_STS_FL_) >> 16);
    	align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
+		if (unlikely(size > skb->len)) {
+			netif_dbg(dev, rx_err, dev->net,
+				  "size err header=0x%08x\n", header);
+			return 0;
+		}
+
    	if (unlikely(header & RX_STS_ES_)) {
    		netif_dbg(dev, rx_err, dev->net,
    			  "Error header=0x%08x\n", header);
-- 
2.39.2




    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 5.15 030/146] net: usb: smsc95xx: Limit packet length to skb->len