Re: [PATCH] net: wan: hd64572: validate RX length before skb allocation and copy

Next message: Damon Ding: "[PATCH v6 14/18] drm/rockchip: analogix_dp: Apply analogix_dp_finish_probe()"
Previous message: David Binderman: "linux-6.17/tools/testing/selftests/landlock/fs_test.c:5631: Test for pointer &lt; 0 ?"
In reply to: Guangshuo Li: "[PATCH] net: wan: hd64572: validate RX length before skb allocation and copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Tue Sep 30 2025 - 05:57:13 EST

On 9/26/25 12:49 PM, Guangshuo Li wrote:
> The driver trusts the RX descriptor length and uses it directly for
> dev_alloc_skb(), memcpy_fromio(), and skb_put() without any bounds
> checking. If the descriptor gets corrupted or otherwise contains an
> invalid value,

Why/how? Is the H/W known to corrupt the descriptors? If so please point
that out in the commit message.
Otherwise, if this is intended to protect vs generic memory corruption
inside the kernel caused by S/W bug, please look for such corruption
root cause instead.

Thanks,

Paolo