* Re: [PATCH net,stable] net: cdc_ether: fix divide by 0 on bad descriptors
2017-11-06 14:37 [PATCH net,stable] net: cdc_ether: fix divide by 0 on bad descriptors Bjørn Mork
@ 2017-11-06 14:35 ` Oliver Neukum
2017-11-08 4:44 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2017-11-06 14:35 UTC (permalink / raw)
To: Bjørn Mork, netdev
Cc: Dmitry Vyukov, Kostya Serebryany, syzkaller, linux-usb
Am Montag, den 06.11.2017, 15:37 +0100 schrieb Bjørn Mork :
> Setting dev->hard_mtu to 0 will cause a divide error in
> usbnet_probe. Protect against devices with bogus CDC Ethernet
> functional descriptors by ignoring a zero wMaxSegmentSize.
>
> Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH net,stable] net: cdc_ether: fix divide by 0 on bad descriptors
@ 2017-11-06 14:37 Bjørn Mork
2017-11-06 14:35 ` Oliver Neukum
2017-11-08 4:44 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Bjørn Mork @ 2017-11-06 14:37 UTC (permalink / raw)
To: netdev
Cc: linux-usb, Oliver Neukum, Dmitry Vyukov, Kostya Serebryany,
syzkaller, Bjørn Mork
Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
I believe the problem found by syzcaller in qmi_wwan also applies
to cdc_ether. We cannot allow the .bind callback to set
dev->hard_mtu to 0.
drivers/net/usb/cdc_ether.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 3e7a3ac3a362..05dca3e5c93d 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -230,7 +230,7 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
goto bad_desc;
}
- if (header.usb_cdc_ether_desc) {
+ if (header.usb_cdc_ether_desc && info->ether->wMaxSegmentSize) {
dev->hard_mtu = le16_to_cpu(info->ether->wMaxSegmentSize);
/* because of Zaurus, we may be ignoring the host
* side link address we were given.
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net,stable] net: cdc_ether: fix divide by 0 on bad descriptors
2017-11-06 14:37 [PATCH net,stable] net: cdc_ether: fix divide by 0 on bad descriptors Bjørn Mork
2017-11-06 14:35 ` Oliver Neukum
@ 2017-11-08 4:44 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2017-11-08 4:44 UTC (permalink / raw)
To: bjorn; +Cc: netdev, linux-usb, oneukum, dvyukov, kcc, syzkaller
From: Bjørn Mork <bjorn@mork.no>
Date: Mon, 6 Nov 2017 15:37:22 +0100
> Setting dev->hard_mtu to 0 will cause a divide error in
> usbnet_probe. Protect against devices with bogus CDC Ethernet
> functional descriptors by ignoring a zero wMaxSegmentSize.
>
> Signed-off-by: Bjørn Mork <bjorn@mork.no>
Applied and queued up for -stable.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-08 4:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-06 14:37 [PATCH net,stable] net: cdc_ether: fix divide by 0 on bad descriptors Bjørn Mork
2017-11-06 14:35 ` Oliver Neukum
2017-11-08 4:44 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.