Problem Description:
A programming error in the ure(4) device driver caused some Realtek USB
Ethernet interfaces to incorrectly report packets with more than 2048 bytes
in a single USB transfer as having a length of only 2048 bytes.
An adversary can exploit this to cause the driver to misinterpret part of the
payload of a large packet as a separate packet, and thereby inject packets
across security boundaries such as VLANs.
Impact:
An attacker that can send large frames (larger than 2048 bytes in size) to be
received by the host (be it VLAN, or non-VLAN tagged packet), can inject
arbitrary packets to be received and processed by the host. This includes
spoofing packets from other hosts, or injecting packets to other VLANs than
the host is on.