diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-11 13:01:35 +0200 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2026-04-14 12:05:01 +0200 |
| commit | 600dc40554dc5ad1e6f3af51f700228033f43ea7 (patch) | |
| tree | f851b33ff82650ee35af64aff6b2471681c9639a /include/asm-mips/ip32/git@git.tavy.me:linux.git | |
| parent | ab4b6e4e80a0e573bd77d69439e4cb55e9e3c5ee (diff) | |
net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
A malicious USB device claiming to be a CDC Phonet modem can overflow
the skb_shared_info->frags[] array by sending an unbounded sequence of
full-page bulk transfers.
Drop the skb and increment the length error when the frag limit is
reached. This matches the same fix that commit f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
t7xx driver.
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026041134-dreamboat-buddhism-d1ec@gregkh
Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'include/asm-mips/ip32/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions