git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 11 Apr 2026 11:01:35 +0000 (13:01 +0200)
committer	Paolo Abeni <pabeni@redhat.com>
	Tue, 14 Apr 2026 10:05:01 +0000 (12:05 +0200)
commit	600dc40554dc5ad1e6f3af51f700228033f43ea7
tree	f851b33ff82650ee35af64aff6b2471681c9639a	tree \| snapshot
parent	ab4b6e4e80a0e573bd77d69439e4cb55e9e3c5ee	commit \| diff

net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

A malicious USB device claiming to be a CDC Phonet modem can overflow
the skb_shared_info->frags[] array by sending an unbounded sequence of
full-page bulk transfers.

Drop the skb and increment the length error when the frag limit is
reached. This matches the same fix that commit f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
t7xx driver.

Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026041134-dreamboat-buddhism-d1ec@gregkh
Fixes: 87cf65601e17 ("USB host CDC Phonet network interface driver")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>