Skip to content

Commit 87a8842

Browse files
caringicaringi
committed
Merge: CVE-2023-53125: net: usb: smsc75xx: Limit packet length to skb->len
MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-9/-/merge_requests/4431 JIRA: https://issues.redhat.com/browse/RHEL-112247 CVE: CVE-2023-53125 ``` net: usb: smsc75xx: Limit packet length to skb->len Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: d0cad87 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Szymon Heidrich <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit d8b2283) ``` Signed-off-by: CKI Backport Bot <[email protected]> --- <small>Created 2025-09-01 19:27 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small> Approved-by: Jakub Ramaseuski <[email protected]> Approved-by: Izabela Bakollari <[email protected]> Approved-by: CKI KWF Bot <[email protected]> Merged-by: Augusto Caringi <[email protected]>
2 parents 9c2071b + f883e56 commit 87a8842

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

drivers/net/usb/smsc75xx.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2201,6 +2201,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
22012201
size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING;
22022202
align_count = (4 - ((size + RXW_PADDING) % 4)) % 4;
22032203

2204+
if (unlikely(size > skb->len)) {
2205+
netif_dbg(dev, rx_err, dev->net,
2206+
"size err rx_cmd_a=0x%08x\n",
2207+
rx_cmd_a);
2208+
return 0;
2209+
}
2210+
22042211
if (unlikely(rx_cmd_a & RX_CMD_A_RED)) {
22052212
netif_dbg(dev, rx_err, dev->net,
22062213
"Error rx_cmd_a=0x%08x\n", rx_cmd_a);

0 commit comments

Comments
 (0)