* [PATCH AUTOSEL 5.4 04/11] sr9700: sanity check for packet length
[not found] <20220301201951.19066-1-sashal@kernel.org>
@ 2022-03-01 20:19 ` Sasha Levin
0 siblings, 0 replies; only message in thread
From: Sasha Levin @ 2022-03-01 20:19 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Oliver Neukum, Grant Grundler, David S . Miller, Sasha Levin,
kuba, jgg, arnd, linux-usb, netdev
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit e9da0b56fe27206b49f39805f7dcda8a89379062 ]
A malicious device can leak heap data to user space
providing bogus frame lengths. Introduce a sanity check.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reviewed-by: Grant Grundler <grundler@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/sr9700.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
index e04c8054c2cf3..fce6713e970ba 100644
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
/* ignore the CRC length */
len = (skb->data[1] | (skb->data[2] << 8)) - 4;
- if (len > ETH_FRAME_LEN)
+ if (len > ETH_FRAME_LEN || len > skb->len)
return 0;
/* the last packet of current skb */
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-01 20:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20220301201951.19066-1-sashal@kernel.org>
2022-03-01 20:19 ` [PATCH AUTOSEL 5.4 04/11] sr9700: sanity check for packet length Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).