net: usb: smsc75xx: Limit packet length to skb->len

jira VULN-67487
jira VULN-67486
cve CVE-2023-53125
commit-author Szymon Heidrich <[email protected]>
commit d8b2283

Packet length retrieved from skb data may be larger than
the actual socket buffer length (up to 9026 bytes). In such
case the cloned skb passed up the network stack will leak
kernel memory contents.

Fixes: d0cad87 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
	Signed-off-by: Szymon Heidrich <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit d8b2283)
	Signed-off-by: Jonathan Maple <[email protected]>

Author: PlaidCat

drivers/net/usb/smsc75xx.c

@@ -2225,7 +2225,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 				dev->net->stats.rx_frame_errors++;
 		} else {
 			/* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
-			if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
+			if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
+				     size > skb->len)) {
 				netif_dbg(dev, rx_err, dev->net,
 					  "size err rx_cmd_a=0x%08x\n",
 					  rx_cmd_a);