net: vertexcom: mse102x: Add range check for CMD_RTS

Since there is no protection in the SPI protocol against electrical
interferences, the driver shouldn't blindly trust the length payload
of CMD_RTS. So introduce a bounds check for incoming frames.

Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support")
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250430133043.7722-4-wahrenst@gmx.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c
index 3edf2c3753f0eb3fd0b52ce20f2a617ebc77744f..2c06d1d05164fc3770192cc5f5fddd54c344a642 100644 (file)
--- a/drivers/net/ethernet/vertexcom/mse102x.c
+++ b/drivers/net/ethernet/vertexcom/mse102x.c
@@ -6,6 +6,7 @@
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
+#include <linux/if_vlan.h>
 #include <linux/interrupt.h>
 #include <linux/module.h>
 #include <linux/kernel.h>
@@ -337,8 +338,9 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse)
        }
 
        rxlen = cmd_resp & LEN_MASK;
-       if (!rxlen) {
-               net_dbg_ratelimited("%s: No frame length defined\n", __func__);
+       if (rxlen < ETH_ZLEN || rxlen > VLAN_ETH_FRAME_LEN) {
+               net_dbg_ratelimited("%s: Invalid frame length: %d\n", __func__,
+                                   rxlen);
                mse->stats.invalid_len++;
                return;
        }