Patch "net: usb: smsc95xx: Limit packet length to skb->len" has been added to the 4.19-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    net: usb: smsc95xx: Limit packet length to skb->len

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-usb-smsc95xx-limit-packet-length-to-skb-len.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f857425147e7c00655c29b456827cb8ea68757a1
Author: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
Date:   Thu Mar 16 11:19:54 2023 +0100

    net: usb: smsc95xx: Limit packet length to skb->len
    
    [ Upstream commit ff821092cf02a70c2bccd2d19269f01e29aa52cf ]
    
    Packet length retrieved from descriptor may be larger than
    the actual socket buffer length. In such case the cloned
    skb passed up the network stack will leak kernel memory contents.
    
    Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
    Signed-off-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
    Reviewed-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@xxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index 4f29010e1aeff..0850486864135 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -1950,6 +1950,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		size = (u16)((header & RX_STS_FL_) >> 16);
 		align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
 
+		if (unlikely(size > skb->len)) {
+			netif_dbg(dev, rx_err, dev->net,
+				  "size err header=0x%08x\n", header);
+			return 0;
+		}
+
 		if (unlikely(header & RX_STS_ES_)) {
 			netif_dbg(dev, rx_err, dev->net,
 				  "Error header=0x%08x\n", header);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux