On Mon, Mar 09, 2026 at 01:34:47PM -0700, tobgaertner wrote:
The nframes bounds check in cdc_ncm_rx_fixup() validates that the NDP
fits within the skb, but omits ndpoffset from the calculation. This
allows a malicious USB device to place a valid-looking NDP at a large
offset near the end of the skb, where the frame entries extend past the
skb boundary, causing an out-of-bounds read when iterating the NDP
entries.
Fix by including ndpoffset in the size comparison, so the check
correctly verifies that the entire NDP (header + frame entries) starting
at ndpoffset fits within skb->len.
Also use struct_size_t() for the NDP size calculation instead of manual
sizeof() arithmetic, as suggested by review.
Changes since v1:
- Split into two patches with separate Fixes tags for NDP16 and NDP32
- Use struct_size_t() instead of manual sizeof() + count * sizeof()
- Verified fix prevents out-of-bounds read via fuzzer regression test
Thanks for the update,
Reviewed-by: Simon Horman <horms@kernel.org>