Commit d6f351c4 authored by Foster Snowhill's avatar Foster Snowhill Committed by Pu Lehui
Browse files

usbnet: ipheth: fix possible overflow in DPE length check 

stable inclusion
from stable-v6.6.78
commit 18bf6f5cce3172cb303c3f0551aa9443d5ed74f8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC69
CVE: CVE-2025-21743

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=18bf6f5cce31



--------------------------------

commit c219427ed296f94bb4b91d08626776dc7719ee27 upstream.

Originally, it was possible for the DPE length check to overflow if
wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB
read.

Move the wDatagramIndex term to the other side of the inequality.

An existing condition ensures that wDatagramIndex < urb->actual_length.

Fixes: a2d274c6 ("usbnet: ipheth: add CDC NCM support")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarFoster Snowhill <forst@pen.gy>
Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
parent 9d22d5b7

drivers/net/usb/ipheth.c

+2 −2
Original line number Diff line number Diff line
@@ -243,8 +243,8 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb) 
	while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&

	       le16_to_cpu(dpe->wDatagramLength) != 0) {

		if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||

		    le16_to_cpu(dpe->wDatagramIndex) +

		    le16_to_cpu(dpe->wDatagramLength) > urb->actual_length) {

		    le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -

		    le16_to_cpu(dpe->wDatagramIndex)) {

			dev->net->stats.rx_length_errors++;

			return retval;

		}