In the Linux kernel, the following vulnerability has been resolved:
igb: cope with large MAXSKBFRAGS
Sabrina reports that the igb driver does not cope well with large MAXSKBFRAG values: setting MAXSKBFRAG to 45 causes payload corruption on TX.
An easy reproducer is to run ssh to connect to the machine. With MAXSKBFRAGS=17 it works, with MAXSKBFRAGS=45 it fails. This has been reported originally in https://bugzilla.redhat.com/show_bug.cgi?id=2265320
The root cause of the issue is that the driver does not take into account properly the (possibly large) shared info size when selecting the ring layout, and will try to fit two packets inside the same 4K page even when the 1st fraglist will trump over the 2nd head.
Address the issue by checking if 2K buffers are insufficient.