CVE-2025-21742

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbnet: ipheth: use static NDP16 location in URB<br /> <br /> Original code allowed for the start of NDP16 to be anywhere within the<br /> URB based on the `wNdpIndex` value in NTH16. Only the start position of<br /> NDP16 was checked, so it was possible for even the fixed-length part<br /> of NDP16 to extend past the end of URB, leading to an out-of-bounds<br /> read.<br /> <br /> On iOS devices, the NDP16 header always directly follows NTH16. Rely on<br /> and check for this specific format.<br /> <br /> This, along with NCM-specific minimal URB length check that already<br /> exists, will ensure that the fixed-length part of NDP16 plus a set<br /> amount of DPEs fit within the URB.<br /> <br /> Note that this commit alone does not fully address the OoB read.<br /> The limit on the amount of DPEs needs to be enforced separately.