Re: [PATCH net] net: usb: kalmia: bound RX frame length in kalmia_rx_fixup()

Next message: Jinjie Ruan: "Re: [PATCH RFC 3/3] arm64: Add HOTPLUG_PARALLEL support for secondary CPUs"
Previous message: Eric Dumazet: "Re: [PATCH net] net: dst: block BH in ipip6_tunnel_xmit"
In reply to: Maoyi Xie: " [PATCH net] net: usb: kalmia: bound RX frame length in kalmia_rx_fixup()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Lunn

Date: Mon Jun 22 2026 - 04:14:16 EST

On Mon, Jun 22, 2026 at 04:01:57PM +0800, Maoyi Xie wrote:
> kalmia_rx_fixup() computes usb_packet_length = skb->len - (2 *
> KALMIA_HEADER_LENGTH) as a u16, guarded only by a pre-loop check that
> skb->len is at least KALMIA_HEADER_LENGTH, which is 6. A device can
> deliver a short bulk-IN frame with skb->len in the 6 to 11 range, or
> leave a short trailing remainder on a later loop iteration. Either case
> underflows usb_packet_length to about 65530.
>
> That bypasses the usb_packet_length < ether_packet_length truncation path.
> The device-supplied ether_packet_length, a le16 up to 65535 read from
> header_start[2], then drives a memcmp() and the following skb_trim() and
> skb_pull() past the end of the rx buffer. The rx buffer is hard_mtu * 10,
> which is 14000 bytes. That is an out of bounds read.
>
> Require both the start and end framing headers to be present before
> subtracting them, on every loop iteration.
>
> Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>

Reviewed-by: Andrew Lunn <andrew@xxxxxxx>

Andrew