All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] can: gs_usb: detach device on reception of invalid USB data
@ 2021-12-10  9:11 Marc Kleine-Budde
  2021-12-13 13:31 ` Oliver Hartkopp
  0 siblings, 1 reply; 3+ messages in thread
From: Marc Kleine-Budde @ 2021-12-10  9:11 UTC (permalink / raw)
  To: linux-can; +Cc: Marc Kleine-Budde, Peter Fink

The received data contains the channel the received data is associated
with. If the channel number if bigger than the actual number of
channels assume broken or malicious USB device and shut it down.

This fixes the error found by clang:

| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
|                                     uninitialized whenever 'if' condition is true
|         if (hf->channel >= GS_MAX_INTF)
|             ^~~~~~~~~~~~~~~~~~~~~~~~~~
| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
|                           hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
|                               ^~~

Cc: Peter Fink <pfink@christ-es.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/gs_usb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index f8316a26ee35..d33ba13643af 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -384,7 +384,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
 
 	/* device reports out of range channel id */
 	if (hf->channel >= GS_MAX_INTF)
-		goto resubmit_urb;
+		goto device_detach;
 
 	dev = usbcan->canch[hf->channel];
 
@@ -478,6 +478,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
 
 	/* USB failure take down all interfaces */
 	if (rc == -ENODEV) {
+ device_detach:
 		for (rc = 0; rc < GS_MAX_INTF; rc++) {
 			if (usbcan->canch[rc])
 				netif_device_detach(usbcan->canch[rc]->netdev);
-- 
2.33.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] can: gs_usb: detach device on reception of invalid USB data
  2021-12-10  9:11 [PATCH] can: gs_usb: detach device on reception of invalid USB data Marc Kleine-Budde
@ 2021-12-13 13:31 ` Oliver Hartkopp
  2021-12-13 13:40   ` Marc Kleine-Budde
  0 siblings, 1 reply; 3+ messages in thread
From: Oliver Hartkopp @ 2021-12-13 13:31 UTC (permalink / raw)
  To: Marc Kleine-Budde, linux-can; +Cc: Peter Fink



On 10.12.21 10:11, Marc Kleine-Budde wrote:
> The received data contains the channel the received data is associated
> with. If the channel number if bigger than the actual number of
                               ^^

I always have to remind myself to take out the chewing gum before 
dictating commit messages  :-D

Best,
Oliver

> channels assume broken or malicious USB device and shut it down.
> 
> This fixes the error found by clang:
> 
> | drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
> |                                     uninitialized whenever 'if' condition is true
> |         if (hf->channel >= GS_MAX_INTF)
> |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
> | drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
> |                           hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
> |                               ^~~
> 
> Cc: Peter Fink <pfink@christ-es.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
>   drivers/net/can/usb/gs_usb.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
> index f8316a26ee35..d33ba13643af 100644
> --- a/drivers/net/can/usb/gs_usb.c
> +++ b/drivers/net/can/usb/gs_usb.c
> @@ -384,7 +384,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
>   
>   	/* device reports out of range channel id */
>   	if (hf->channel >= GS_MAX_INTF)
> -		goto resubmit_urb;
> +		goto device_detach;
>   
>   	dev = usbcan->canch[hf->channel];
>   
> @@ -478,6 +478,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
>   
>   	/* USB failure take down all interfaces */
>   	if (rc == -ENODEV) {
> + device_detach:
>   		for (rc = 0; rc < GS_MAX_INTF; rc++) {
>   			if (usbcan->canch[rc])
>   				netif_device_detach(usbcan->canch[rc]->netdev);
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] can: gs_usb: detach device on reception of invalid USB data
  2021-12-13 13:31 ` Oliver Hartkopp
@ 2021-12-13 13:40   ` Marc Kleine-Budde
  0 siblings, 0 replies; 3+ messages in thread
From: Marc Kleine-Budde @ 2021-12-13 13:40 UTC (permalink / raw)
  To: Oliver Hartkopp; +Cc: linux-can, Peter Fink

[-- Attachment #1: Type: text/plain, Size: 716 bytes --]

On 13.12.2021 14:31:22, Oliver Hartkopp wrote:
> 
> 
> On 10.12.21 10:11, Marc Kleine-Budde wrote:
> > The received data contains the channel the received data is associated
> > with. If the channel number if bigger than the actual number of
>                               ^^
> 
> I always have to remind myself to take out the chewing gum before dictating
> commit messages  :-D

Alexa, fix the commit message! :D

Thanks,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-13 13:40 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-10  9:11 [PATCH] can: gs_usb: detach device on reception of invalid USB data Marc Kleine-Budde
2021-12-13 13:31 ` Oliver Hartkopp
2021-12-13 13:40   ` Marc Kleine-Budde

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.