The driver's main loop isn't ready for a device sending
some trailing bytes as it tests for an exact match between
package and accumulated frames.
We would parse some garbage from the heap and follow its
pointers.
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
---
drivers/net/usb/smsc75xx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
index 95de452ff4da..649e43b4df4f 100644
--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -2183,7 +2183,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
if (skb->len < dev->net->hard_header_len)
return 0;
- while (skb->len > 0) {
+ /* at least two u32 must be left to go on */
+ while (skb->len > 4 + 4) {
u32 rx_cmd_a, rx_cmd_b, align_count, size;
struct sk_buff *ax_skb;
unsigned char *packet;
--
2.34.1
