From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Bjørn Mork" <bjorn@mork.no>,
syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com,
"Jakub Kicinski" <jakub.kicinski@netronome.com>,
"Sasha Levin" <sashal@kernel.org>,
linux-usb@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 14/29] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
Date: Tue, 1 Oct 2019 12:44:08 -0400 [thread overview]
Message-ID: <20191001164423.16406-14-sashal@kernel.org> (raw)
In-Reply-To: <20191001164423.16406-1-sashal@kernel.org>
From: Bjørn Mork <bjorn@mork.no>
[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ]
Endpoints with zero wMaxPacketSize are not usable for transferring
data. Ignore such endpoints when looking for valid in, out and
status pipes, to make the driver more robust against invalid and
meaningless descriptors.
The wMaxPacketSize of the out pipe is used as divisor. So this change
fixes a divide-by-zero bug.
Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ncm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index f5316ab68a0a8..ab28487e60484 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -681,8 +681,12 @@ cdc_ncm_find_endpoints(struct usbnet *dev, struct usb_interface *intf)
u8 ep;
for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) {
-
e = intf->cur_altsetting->endpoint + ep;
+
+ /* ignore endpoints which cannot transfer data */
+ if (!usb_endpoint_maxp(&e->desc))
+ continue;
+
switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
case USB_ENDPOINT_XFER_INT:
if (usb_endpoint_dir_in(&e->desc)) {
--
2.20.1
next prev parent reply other threads:[~2019-10-01 16:44 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-01 16:43 [PATCH AUTOSEL 4.14 01/29] ima: always return negative code for error Sasha Levin
2019-10-01 16:43 ` [PATCH AUTOSEL 4.14 02/29] fs: nfs: Fix possible null-pointer dereferences in encode_attrs() Sasha Levin
2019-10-01 16:43 ` [PATCH AUTOSEL 4.14 03/29] 9p: avoid attaching writeback_fid on mmap with type PRIVATE Sasha Levin
2019-10-01 16:43 ` [PATCH AUTOSEL 4.14 04/29] xen/pci: reserve MCFG areas earlier Sasha Levin
2019-10-01 16:43 ` [PATCH AUTOSEL 4.14 05/29] ceph: fix directories inode i_blkbits initialization Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 06/29] ceph: reconnect connection if session hang in opening state Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 07/29] rbd: fix response length parameter for encoded strings Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 08/29] watchdog: aspeed: Add support for AST2600 Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 09/29] netfilter: nf_tables: allow lookups in dynamic sets Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 10/29] drm/amdgpu: Check for valid number of registers to read Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 11/29] pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 12/29] net/sched: act_sample: don't push mac header on ip6gre ingress Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 13/29] pwm: stm32-lp: Add check in case requested period cannot be achieved Sasha Levin
2019-10-01 16:44 ` Sasha Levin [this message]
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 15/29] usbnet: ignore endpoints with invalid wMaxPacketSize Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 16/29] net/phy: fix DP83865 10 Mbps HDX loopback disable function Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 17/29] net_sched: add max len check for TCA_KIND Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 18/29] thermal: Fix use-after-free when unregistering thermal zone device Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 19/29] fuse: fix memleak in cuse_channel_open Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 20/29] arcnet: provide a buffer big enough to actually receive packets Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 21/29] ppp: Fix memory leak in ppp_write Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 22/29] sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr() Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 23/29] perf build: Add detection of java-11-openjdk-devel package Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 24/29] kernel/elfcore.c: include proper prototypes Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 25/29] kexec: bail out upon SIGKILL when allocating memory Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 26/29] macsec: drop skb sk before calling gro_cells_receive Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 27/29] perf unwind: Fix libunwind build failure on i386 systems Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 28/29] usbnet: sanity checking of packet sizes and device mtu Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.14 29/29] sch_netem: fix a divide by zero in tabledist() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001164423.16406-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bjorn@mork.no \
--cc=jakub.kicinski@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).