kern/59940: usbnet(9): uno_tx_prepare buffer overrun audit

["campbell+netbsd%mumble.net@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         59940
>Category:       kern
>Synopsis:       usbnet(9): uno_tx_prepare buffer overrun audit
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 24 23:15:00 +0000 2026
>Originator:     Taylor R Campbell
>Release:        current, 11, 10, 9, ...
>Organization:
The usbnet(9) Foundation
>Environment:
>Description:

	When usbnet(9) decides to transmit a packet, it is the
	responsibility of the usbnet(9) driver to verify in its
	uno_tx_prepare function that the payload fits in the xfer
	buffer alongside any device-specific header.

	It's not clear all the drivers do this.

	And while most (all?) paths into interface tx limit the pktlen
	to the interface's MTU (at least bpf(4) rejects >MTU writes and
	the ip_output path fragments >MTU packets), it's not clear that
	usbnet(9) requires the MTU not to exceed the driver's buffer
	size.  So the following assertion might fire:

529 		KASSERT(m->m_pkthdr.len <= un->un_tx_bufsz);

https://nxr.netbsd.org/xref/src/sys/dev/usb/usbnet.c?r=1.121#529

>How-To-Repeat:

	code inspection and thought

>Fix:

	1. Enforce limit on MTU in usbnet(9), or find where it is
	   already enforced.

	2. Audit all the drivers to ensure they also check the buffer
	   size on tx.