From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Oliver Neukum <oneukum@suse.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 20/40] usb: aqc111: check packet for fixup for true limit
Date: Mon, 18 Dec 2023 14:52:15 +0100 [thread overview]
Message-ID: <20231218135043.443611263@linuxfoundation.org> (raw)
In-Reply-To: <20231218135042.748715259@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit ccab434e674ca95d483788b1895a70c21b7f016a ]
If a device sends a packet that is inbetween 0
and sizeof(u64) the value passed to skb_trim()
as length will wrap around ending up as some very
large value.
The driver will then proceed to parse the header
located at that position, which will either oops or
process some random value.
The fix is to check against sizeof(u64) rather than
0, which the driver currently does. The issue exists
since the introduction of the driver.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/aqc111.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
index 68912e266826b..892d58b38cf5b 100644
--- a/drivers/net/usb/aqc111.c
+++ b/drivers/net/usb/aqc111.c
@@ -1079,17 +1079,17 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
u16 pkt_count = 0;
u64 desc_hdr = 0;
u16 vlan_tag = 0;
- u32 skb_len = 0;
+ u32 skb_len;
if (!skb)
goto err;
- if (skb->len == 0)
+ skb_len = skb->len;
+ if (skb_len < sizeof(desc_hdr))
goto err;
- skb_len = skb->len;
/* RX Descriptor Header */
- skb_trim(skb, skb->len - sizeof(desc_hdr));
+ skb_trim(skb, skb_len - sizeof(desc_hdr));
desc_hdr = le64_to_cpup((u64 *)skb_tail_pointer(skb));
/* Check these packets */
--
2.43.0
next prev parent reply other threads:[~2023-12-18 14:11 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-18 13:51 [PATCH 5.4 00/40] 5.4.265-rc1 review Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 01/40] afs: Fix refcount underflow from error handling race Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 02/40] net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 03/40] qca_debug: Prevent crash on TX ring changes Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 04/40] qca_debug: Fix ethtool -G iface tx behavior Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 05/40] qca_spi: Fix reset behavior Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 06/40] atm: solos-pci: Fix potential deadlock on &cli_queue_lock Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 07/40] atm: solos-pci: Fix potential deadlock on &tx_queue_lock Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 08/40] atm: Fix Use-After-Free in do_vcc_ioctl Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 09/40] net/rose: Fix Use-After-Free in rose_ioctl Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 10/40] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 11/40] net: Remove acked SYN flag from packet in the transmit queue correctly Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 12/40] sign-file: Fix incorrect return values check Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 13/40] vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 14/40] net: stmmac: use dev_err_probe() for reporting mdio bus registration failure Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 15/40] net: stmmac: Handle disabled MDIO busses from devicetree Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 16/40] appletalk: Fix Use-After-Free in atalk_ioctl Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 17/40] cred: switch to using atomic_long_t Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 18/40] ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 19/40] Revert "PCI: acpiphp: Reassign resources on bridge if necessary" Greg Kroah-Hartman
2023-12-18 13:52 ` Greg Kroah-Hartman [this message]
2023-12-18 13:52 ` [PATCH 5.4 21/40] blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 22/40] bcache: avoid oversize memory allocation by small stripe_size Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 23/40] bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 24/40] bcache: avoid NULL checking to c->root in run_cache_set() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 25/40] platform/x86: intel_telemetry: Fix kernel doc descriptions Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 26/40] HID: add ALWAYS_POLL quirk for Apple kb Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 27/40] HID: hid-asus: reset the backlight brightness level on resume Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 28/40] HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 29/40] asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 30/40] net: usb: qmi_wwan: claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 31/40] HID: hid-asus: add const to read-only outgoing usb buffer Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 32/40] perf: Fix perf_event_validate_size() lockdep splat Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 33/40] soundwire: stream: fix NULL pointer dereference for multi_link Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 34/40] ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 35/40] arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 36/40] team: Fix use-after-free when an option instance allocation fails Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 37/40] ring-buffer: Fix memory leak of free page Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 38/40] mmc: block: Be sure to wait while busy in CQE error recovery Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 39/40] powerpc/ftrace: Create a dummy stackframe to fix stack unwind Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 40/40] powerpc/ftrace: Fix stack teardown in ftrace_no_trace Greg Kroah-Hartman
2023-12-19 0:03 ` [PATCH 5.4 00/40] 5.4.265-rc1 review Shuah Khan
2023-12-19 6:19 ` Harshit Mogalapalli
2023-12-19 9:08 ` Naresh Kamboju
2023-12-19 11:30 ` Jon Hunter
2023-12-19 20:52 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231218135043.443611263@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=oneukum@suse.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox