* [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
[not found] <20191122194958.24926-1-sashal@kernel.org>
@ 2019-11-22 19:49 ` Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dan Carpenter, David S . Miller, Sasha Levin, linux-usb, netdev
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit a56dcc6b455830776899ce3686735f1172e12243 ]
This code is supposed to test for negative error codes and partial
reads, but because sizeof() is size_t (unsigned) type then negative
error codes are type promoted to high positive values and the condition
doesn't work as expected.
Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index cbb9b4343d1ea..be4e56826daf6 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -577,7 +577,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
- if (err < sizeof(max_datagram_size)) {
+ if (err != sizeof(max_datagram_size)) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers
[not found] <20191122194958.24926-1-sashal@kernel.org>
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
@ 2019-11-22 19:49 ` Sasha Levin
1 sibling, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2019-11-22 19:49 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Oliver Neukum, syzbot+a8d4acdad35e6bbca308, David S . Miller,
Sasha Levin, linux-usb, netdev
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
If a malicious device gives a short MAC it can elicit up to
5 bytes of leaked memory out of the driver. We need to check for
ETH_ALEN instead.
Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/ax88172a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index 49a3bc107d054..2c50497cc4edc 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -215,7 +215,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
/* Get the MAC address */
ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
- if (ret < 0) {
+ if (ret < ETH_ALEN) {
netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
goto free;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-22 19:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20191122194958.24926-1-sashal@kernel.org>
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 09/13] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
2019-11-22 19:49 ` [PATCH AUTOSEL 4.9 12/13] ax88172a: fix information leak on short answers Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).