github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-22 22:22:08 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

usbnet: ipheth: fix possible overflow in DPE length check

Browse Source 
Originally, it was possible for the DPE length check to overflow if
wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB
read.

Move the wDatagramIndex term to the other side of the inequality.

An existing condition ensures that wDatagramIndex < urb->actual_length.

Fixes: a2d274c62e ("usbnet: ipheth: add CDC NCM support")
Cc: stable@vger.kernel.org
Signed-off-by: Foster Snowhill <forst@pen.gy>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Foster Snowhill 2025-01-26 00:54:03 +01:00 committed by Paolo Abeni
parent 19ae40f572
commit c219427ed2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/net/usb/ipheth.c
View File

@ -243,8 +243,8 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
le16_to_cpu(dpe->wDatagramLength) != 0) {
if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
le16_to_cpu(dpe->wDatagramIndex) +
le16_to_cpu(dpe->wDatagramLength) > urb->actual_length) {
le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
le16_to_cpu(dpe->wDatagramIndex)) {
dev->net->stats.rx_length_errors++;
return retval;
}