UPSTREAM: sr9700: sanity check for packet length [ Upstream commit e9da0b56fe27206b49f39805f7dcda8a89379062 ] A malicious device can leak heap data to user space providing bogus frame lengths. Introduce a sanity check. Bug: 225469258 Signed-off-by: Oliver Neukum <oneukum@suse.com> Reviewed-by: Grant Grundler <grundler@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Lee Jones <lee.jones@linaro.org> Change-Id: I2f17bd57b5c4228d0420f716527316a878a34efd

commit: e7f39d0aa294f998ddd55c5becb5e9601912da0d [log] [tgz]
author: Oliver Neukum <oneukum@suse.com> Thu Feb 17 14:10:44 2022 +0100
committer: Lee Jones <lee.jones@linaro.org> Thu Mar 24 10:49:22 2022 +0000
tree: 79e92617cc483a417ca1b433e685e9fadfd76180
parent: 6282531a84bc383f696278ef90fb3d3e1593a93b [diff]
diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
index e04c8054..fce6713 100644
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c

@@ -410,7 +410,7 @@
 		/* ignore the CRC length */
 		len = (skb->data[1] | (skb->data[2] << 8)) - 4;
 
-		if (len > ETH_FRAME_LEN)
+		if (len > ETH_FRAME_LEN || len > skb->len)
 			return 0;
 
 		/* the last packet of current skb */
commit	e7f39d0aa294f998ddd55c5becb5e9601912da0d	[log] [tgz]
author	Oliver Neukum <oneukum@suse.com>	Thu Feb 17 14:10:44 2022 +0100
committer	Lee Jones <lee.jones@linaro.org>	Thu Mar 24 10:49:22 2022 +0000
tree	79e92617cc483a417ca1b433e685e9fadfd76180
parent	6282531a84bc383f696278ef90fb3d3e1593a93b [diff]