Skip to content

Commit 13b6de6

Browse files
bmastbergenbmastbergen
committed
net: usb: smsc75xx: Limit packet length to skb->len
jira VULN-67489 cve CVE-2023-53125 commit-author Szymon Heidrich <szymon.heidrich@gmail.com> commit d8b2283 Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: d0cad87 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit d8b2283) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
1 parent d1b70b4 commit 13b6de6

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

drivers/net/usb/smsc75xx.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2211,7 +2211,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
22112211
dev->net->stats.rx_frame_errors++;
22122212
} else {
22132213
/* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
2214-
if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
2214+
if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
2215+
size > skb->len)) {
22152216
netif_dbg(dev, rx_err, dev->net,
22162217
"size err rx_cmd_a=0x%08x\n",
22172218
rx_cmd_a);

0 commit comments

Comments
 (0)