CDC-NCM: avoid overflow in sanity checking (8d2b1a1e) · Commits · EulixOS / Software / Kernel

drivers/net/usb/cdc_ncm.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -1715,10 +1715,10 @@ int cdc_ncm_rx_fixup(struct usbnet dev, struct sk_buff skb_in)
		{
		struct sk_buff *skb;
		struct cdc_ncm_ctx ctx = (struct cdc_ncm_ctx )dev->data[0];
		int len;
		unsigned int len;
		int nframes;
		int x;
		int offset;
		unsigned int offset;
		union {
		struct usb_cdc_ncm_ndp16 *ndp16;
		struct usb_cdc_ncm_ndp32 *ndp32;
		@@ -1790,8 +1790,8 @@ int cdc_ncm_rx_fixup(struct usbnet dev, struct sk_buff skb_in)
		break;
		}

		/* sanity checking */
		if (((offset + len) > skb_in->len) \|\|
		/* sanity checking - watch out for integer wrap*/
		if ((offset > skb_in->len) \|\| (len > skb_in->len - offset) \|\|
		(len > ctx->rx_max) \|\| (len < ETH_HLEN)) {
		netif_dbg(dev, rx_err, dev->net,
		"invalid frame detected (ignored) offset[%u]=%u, length=%u, skb=%p\n",