Skip to content

Commit a20b75e

Browse files
PlaidCatPlaidCat
committed
net: usb: smsc75xx: Limit packet length to skb->len
jira LE-4311 cve CVE-2023-53125 Rebuild_History Non-Buildable kernel-5.14.0-570.46.1.el9_6 commit-author Szymon Heidrich <szymon.heidrich@gmail.com> commit d8b2283 Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: d0cad87 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit d8b2283) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
1 parent 0a1d0f0 commit a20b75e

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

drivers/net/usb/smsc75xx.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2213,7 +2213,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
22132213
dev->net->stats.rx_frame_errors++;
22142214
} else {
22152215
/* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
2216-
if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
2216+
if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
2217+
size > skb->len)) {
22172218
netif_dbg(dev, rx_err, dev->net,
22182219
"size err rx_cmd_a=0x%08x\n",
22192220
rx_cmd_a);

0 commit comments

Comments
 (0)