sr9700: sanity check for packet length

Message ID	20220217131044.26983-1-oneukum@suse.com (mailing list archive)
State	Accepted
Commit	e9da0b56fe27206b49f39805f7dcda8a89379062
Headers	show Return-Path: <linux-usb-owner@kernel.org> From: Oliver Neukum <oneukum@suse.com> To: davem@davemloft.net, kuba@kernel.org, grundler@chromium.org, andrew@lunn.ch, jgg@ziepe.ca, linux-usb@vger.kernel.org, arnd@arndb.de, netdev@vger.kernel.org Cc: Oliver Neukum <oneukum@suse.com> Subject: [PATCH] sr9700: sanity check for packet length Date: Thu, 17 Feb 2022 14:10:44 +0100 Message-Id: <20220217131044.26983-1-oneukum@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	sr9700: sanity check for packet length \| expand sr9700: sanity check for packet length

Message ID

20220217131044.26983-1-oneukum@suse.com (mailing list archive)

State

Accepted

Commit

e9da0b56fe27206b49f39805f7dcda8a89379062

Headers

From: Oliver Neukum <oneukum@suse.com>
To: davem@davemloft.net, kuba@kernel.org, grundler@chromium.org,
        andrew@lunn.ch, jgg@ziepe.ca, linux-usb@vger.kernel.org,
        arnd@arndb.de, netdev@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>
Subject: [PATCH] sr9700: sanity check for packet length
Date: Thu, 17 Feb 2022 14:10:44 +0100
Message-Id: <20220217131044.26983-1-oneukum@suse.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

sr9700: sanity check for packet length | expand

A malicious device can leak heap data to user space providing bogus frame lengths. Introduce a sanity check. Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/net/usb/sr9700.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Grant Grundler Feb. 17, 2022, 8:03 p.m. UTC | #1

On Thu, Feb 17, 2022 at 5:10 AM Oliver Neukum <oneukum@suse.com> wrote:
>
> A malicious device can leak heap data to user space
> providing bogus frame lengths. Introduce a sanity check.
>
> Signed-off-by: Oliver Neukum <oneukum@suse.com>

Reviewed-by: Grant Grundler <grundler@chromium.org>

> ---
>  drivers/net/usb/sr9700.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
> index b658510cc9a4..5a53e63d33a6 100644
> --- a/drivers/net/usb/sr9700.c
> +++ b/drivers/net/usb/sr9700.c
> @@ -413,7 +413,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
>                 /* ignore the CRC length */
>                 len = (skb->data[1] | (skb->data[2] << 8)) - 4;
>
> -               if (len > ETH_FRAME_LEN)
> +               if (len > ETH_FRAME_LEN || len > skb->len)

good catch.

>                         return 0;
>
>                 /* the last packet of current skb */
> --
> 2.34.1
>

patchwork-bot+netdevbpf@kernel.org Feb. 18, 2022, 11:10 a.m. UTC | #2

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Thu, 17 Feb 2022 14:10:44 +0100 you wrote:
> A malicious device can leak heap data to user space
> providing bogus frame lengths. Introduce a sanity check.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
>  drivers/net/usb/sr9700.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Here is the summary with links:
  - sr9700: sanity check for packet length
    https://git.kernel.org/netdev/net/c/e9da0b56fe27

You are awesome, thank you!

diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
index b658510cc9a4..5a53e63d33a6 100644
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -413,7 +413,7 @@  static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		/* ignore the CRC length */
 		len = (skb->data[1] | (skb->data[2] << 8)) - 4;
 
-		if (len > ETH_FRAME_LEN)
+		if (len > ETH_FRAME_LEN || len > skb->len)
 			return 0;
 
 		/* the last packet of current skb */

sr9700: sanity check for packet length

Commit Message

Comments

Patch