cx82310_rx_fixup() completes a packet that started in the previous URB by copying dev->partial_rem bytes from the current skb. It then pulls the same continuation extent, rounded up to an even byte count. The code does not first prove that the current skb contains that continuation. Add a fail-closed bound check before the copy and pull. If the continuation is shorter than the pending packet state expects, drop that pending partial packet before returning so later URBs are not consumed as stale continuation bytes. This keeps the existing cross-URB packet model, but avoids consuming bytes that are not present in the current skb. Signed-off-by: Pengpeng Hou --- diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c --- a/drivers/net/usb/cx82310_eth.c +++ b/drivers/net/usb/cx82310_eth.c @@ -242,7 +242,7 @@ */ static int cx82310_rx_fixup(struct usbnet *dev, struct sk_buff *skb) { - int len; + int len, pull_len; struct sk_buff *skb2; struct cx82310_priv *priv = dev->driver_priv; @@ -251,6 +251,13 @@ * end of that packet at the beginning. */ if (dev->partial_rem) { + pull_len = (dev->partial_rem + 1) & ~1; + if (skb->len < pull_len) { + dev->partial_len = 0; + dev->partial_rem = 0; + return 0; + } + len = dev->partial_len + dev->partial_rem; skb2 = alloc_skb(len, GFP_ATOMIC); if (!skb2) @@ -261,7 +265,7 @@ memcpy(skb2->data + dev->partial_len, skb->data, dev->partial_rem); usbnet_skb_return(dev, skb2); - skb_pull(skb, (dev->partial_rem + 1) & ~1); + skb_pull(skb, pull_len); dev->partial_rem = 0; if (skb->len < 2) return 1;