DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=subject:to
        :references:cc:from:message-id:date:mime-version:in-reply-to
        :content-type:content-transfer-encoding; q=dns; s=sasl; b=xvTOC5
        K+tZP6peYtXasu2crjCJMZ82CdCpNEfKPk4SovK+rEJkU9RIN4ySBtQhRiM3f9oZ
        iGmPaLCnaib/1HJqv3PWW1LgU1W4eE/KsBwAXVfg/lprhcJJPHyfLtbw2sKSw7TQ
        q6gA3dr+HLq4nnLWXDZRD1KI9dZAKDWsTPFIU=
Subject: Re: [PATCH net 2/2] r8152: rx descriptor check
To: Francois Romieu <romieu@fr.zoreil.com>,
        Hayes Wang <hayeswang@realtek.com>
References: <1394712342-15778-226-Taiwan-albertk@realtek.com>
 <1394712342-15778-228-Taiwan-albertk@realtek.com>
 <20161111121311.GA19673@electric-eye.fr.zoreil.com>
Cc: netdev@vger.kernel.org, nic_swsd@realtek.com,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
From: Mark Lord <mlord@pobox.com>
Message-ID: <17ddc468-3099-a423-422c-d0ae33489288@pobox.com>
Date: Sat, 12 Nov 2016 08:21:24 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <20161111121311.GA19673@electric-eye.fr.zoreil.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 734
Lines: 19

On 16-11-11 07:13 AM, Francois Romieu wrote:
> Hayes Wang <hayeswang@realtek.com> :
>> For some platforms, the data in memory is not the same with the one
>> from the device. That is, the data of memory is unbelievable. The
>> check is used to find out this situation.
> 
> Invalid packet size corrupted receive descriptors in Realtek's device
> reminds of CVE-2009-4537.
> 
> Is the silicium of both devices different enough to prevent the same
> exploit to happen ?

I don't know if the hardware can do it, but the existing Linux device
driver regularly attempts to process huge unreal packet sizes here.
I've had to patch it to reject "packets" larger than the configured MRU.
-- 
Mark Lord
Real-Time Remedies Inc.
mlord@pobox.com