diff mbox series

sr9700: sanity check for packet length

Message ID 20220217131044.26983-1-oneukum@suse.com (mailing list archive)
State Accepted
Commit e9da0b56fe27206b49f39805f7dcda8a89379062
Delegated to: Netdev Maintainers
Headers show
Series sr9700: sanity check for packet length | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 3 this patch: 3
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Oliver Neukum Feb. 17, 2022, 1:10 p.m. UTC
A malicious device can leak heap data to user space
providing bogus frame lengths. Introduce a sanity check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/net/usb/sr9700.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Grant Grundler Feb. 17, 2022, 8:03 p.m. UTC | #1
On Thu, Feb 17, 2022 at 5:10 AM Oliver Neukum <oneukum@suse.com> wrote:
>
> A malicious device can leak heap data to user space
> providing bogus frame lengths. Introduce a sanity check.
>
> Signed-off-by: Oliver Neukum <oneukum@suse.com>

Reviewed-by: Grant Grundler <grundler@chromium.org>

> ---
>  drivers/net/usb/sr9700.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
> index b658510cc9a4..5a53e63d33a6 100644
> --- a/drivers/net/usb/sr9700.c
> +++ b/drivers/net/usb/sr9700.c
> @@ -413,7 +413,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
>                 /* ignore the CRC length */
>                 len = (skb->data[1] | (skb->data[2] << 8)) - 4;
>
> -               if (len > ETH_FRAME_LEN)
> +               if (len > ETH_FRAME_LEN || len > skb->len)

good catch.

>                         return 0;
>
>                 /* the last packet of current skb */
> --
> 2.34.1
>
patchwork-bot+netdevbpf@kernel.org Feb. 18, 2022, 11:10 a.m. UTC | #2
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Thu, 17 Feb 2022 14:10:44 +0100 you wrote:
> A malicious device can leak heap data to user space
> providing bogus frame lengths. Introduce a sanity check.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
>  drivers/net/usb/sr9700.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Here is the summary with links:
  - sr9700: sanity check for packet length
    https://git.kernel.org/netdev/net/c/e9da0b56fe27

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
index b658510cc9a4..5a53e63d33a6 100644
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -413,7 +413,7 @@  static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		/* ignore the CRC length */
 		len = (skb->data[1] | (skb->data[2] << 8)) - 4;
 
-		if (len > ETH_FRAME_LEN)
+		if (len > ETH_FRAME_LEN || len > skb->len)
 			return 0;
 
 		/* the last packet of current skb */