30 Sep
2025
30 Sep
'25
9:57 a.m.
On 9/26/25 12:49 PM, Guangshuo Li wrote:
The driver trusts the RX descriptor length and uses it directly for dev_alloc_skb(), memcpy_fromio(), and skb_put() without any bounds checking. If the descriptor gets corrupted or otherwise contains an invalid value,
Why/how? Is the H/W known to corrupt the descriptors? If so please point that out in the commit message. Otherwise, if this is intended to protect vs generic memory corruption inside the kernel caused by S/W bug, please look for such corruption root cause instead.
Thanks,
Paolo