From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 08/10] net: usb: smsc95xx: don't blindly trust hardware size
Date: Thu, 4 Apr 2024 20:39:59 +0200 [thread overview]
Message-ID: <20240404184001.1532897-9-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20240404184001.1532897-1-a.fatoum@pengutronix.de>
This is a port of Linux commit ff821092cf02a70c2bccd2d19269f01e29aa52cf:
| Author: Szymon Heidrich <szymon.heidrich@gmail.com>
| AuthorDate: Thu Mar 16 11:19:54 2023 +0100
|
| net: usb: smsc95xx: Limit packet length to skb->len
|
| Packet length retrieved from descriptor may be larger than
| the actual socket buffer length. In such case the cloned
| skb passed up the network stack will leak kernel memory
| contents.
|
| Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
| Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
| Reviewed-by: Jakub Kicinski <kuba@kernel.org>
| Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com
| Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
drivers/net/usb/smsc95xx.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index ab0059fcdb0f..1587128368ad 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -767,6 +767,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, void *buf, int len)
size = (u16)((header & RX_STS_FL_) >> 16);
align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
+ if (unlikely(size > len)) {
+ netif_dbg(dev, rx_err, dev->net,
+ "size err header=0x%08x\n", header);
+ return 0;
+ }
+
if (header & RX_STS_ES_) {
netif_dbg(dev, rx_err, dev->net,
"Error header=0x%08x\n", header);
--
2.39.2
next prev parent reply other threads:[~2024-04-04 18:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-04 18:39 [PATCH 00/10] net: fix problems handling trailing bytes Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 01/10] net: free packets with net_free_packet Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 02/10] net: ip: don't blindly trust driver supplied frame size Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 03/10] net: icmp: " Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 04/10] net: icmp: properly set IP TTL and fragement fields Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 05/10] net: icmp: don't overrun buffer on send Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 06/10] net: cpsw: report correct frame size to network stack Ahmad Fatoum
2024-04-04 18:39 ` [PATCH 07/10] net: usb: smsc95xx: don't opencode get/put_aligned_le32 Ahmad Fatoum
2024-04-04 18:39 ` Ahmad Fatoum [this message]
2024-04-04 18:40 ` [PATCH 09/10] net: usb: smsc95xx: fix handling of multiple packets per urb Ahmad Fatoum
2024-04-05 7:18 ` [PATCH] fixup! " Ahmad Fatoum
2024-04-04 18:40 ` [PATCH 10/10] net: usb: smsc95xx: disable HW checksumming in driver Ahmad Fatoum
2024-04-04 19:49 ` [PATCH 00/10] net: fix problems handling trailing bytes Ahmad Fatoum
2024-04-05 9:57 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240404184001.1532897-9-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox