Re: [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

Next message: David Laight: "Re: [PATCH] selftests/mm: Simplify byte pattern checking in mremap_test"
Previous message: Christian Brauner: "Re: [PATCH] iov_iter: use kmemdup_array for dup_iter to harden against overflow"
In reply to: Greg Kroah-Hartman: "[PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Tue Apr 14 2026 - 05:47:35 EST

On 4/11/26 1:01 PM, Greg Kroah-Hartman wrote:
> A malicious USB device claiming to be a CDC Phonet modem can overflow
> the skb_shared_info->frags[] array by sending an unbounded sequence of
> full-page bulk transfers.
>
> Drop the skb and increment the length error when the frag limit is
> reached. This matches the same fix that commit f0813bcd2d9d ("net:
> wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
> t7xx driver.
>
> Cc: Andrew Lunn <andrew+netdev@xxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
> Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Assisted-by: gregkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

It looks like the fixes tag should be:

Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver")

Right?

/P