Thread (6 messages) 6 messages, 3 authors, 2026-03-12

Re: [PATCH v2 0/2] net: usb: cdc_ncm: fix NDP nframes bounds check

From: Simon Horman <horms@kernel.org>
Date: 2026-03-11 17:17:07
Also in: linux-usb

On Mon, Mar 09, 2026 at 01:34:47PM -0700, tobgaertner wrote:
The nframes bounds check in cdc_ncm_rx_fixup() validates that the NDP
fits within the skb, but omits ndpoffset from the calculation. This
allows a malicious USB device to place a valid-looking NDP at a large
offset near the end of the skb, where the frame entries extend past the
skb boundary, causing an out-of-bounds read when iterating the NDP
entries.

Fix by including ndpoffset in the size comparison, so the check
correctly verifies that the entire NDP (header + frame entries) starting
at ndpoffset fits within skb->len.

Also use struct_size_t() for the NDP size calculation instead of manual
sizeof() arithmetic, as suggested by review.

Changes since v1:
- Split into two patches with separate Fixes tags for NDP16 and NDP32
- Use struct_size_t() instead of manual sizeof() + count * sizeof()
- Verified fix prevents out-of-bounds read via fuzzer regression test
Thanks for the update,

Reviewed-by: Simon Horman <horms@kernel.org>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help