sr9700: sanity check for packet length

mainline inclusion from mainline-v5.17-rc4 commit e9da0b56 category: bugfix bugzilla: 186472, https://gitee.com/src-openeuler/kernel/issues/I4ZQIZ CVE: CVE-2022-26966 -------------------------------- A malicious device can leak heap data to user space providing bogus frame lengths. Introduce a sanity check. Signed-off-by: N Oliver Neukum <oneukum@suse.com> Reviewed-by: N Grant Grundler <grundler@chromium.org> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Weilong Chen <chenweilong@huawei.com>

sr9700: sanity check for packet length
mainline inclusion from mainline-v5.17-rc4 commit e9da0b56 category: bugfix bugzilla: 186472, https://gitee.com/src-openeuler/kernel/issues/I4ZQIZ CVE: CVE-2022-26966 -------------------------------- A malicious device can leak heap data to user space providing bogus frame lengths. Introduce a sanity check. Signed-off-by: N Oliver Neukum <oneukum@suse.com> Reviewed-by: N Grant Grundler <grundler@chromium.org> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Weilong Chen <chenweilong@huawei.com>
c7a60df0 · Oliver Neukum · Zheng Zengkai · 0c83bb30 · c7a60df0
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/net/usb/sr9700.c drivers/net/usb/sr9700.c +1 -1

未找到文件。
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 		/* ignore the CRC length */
 		len = (skb->data[1] | (skb->data[2] << 8)) - 4;

-		if (len > ETH_FRAME_LEN)
+		if (len > ETH_FRAME_LEN || len > skb->len)
 			return 0;

 		/* the last packet of current skb */