From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Bjørn Mork" <bjorn@mork.no>,
syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com,
"Jakub Kicinski" <jakub.kicinski@netronome.com>,
"Sasha Levin" <sashal@kernel.org>,
linux-usb@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 08/19] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
Date: Tue, 1 Oct 2019 12:44:54 -0400 [thread overview]
Message-ID: <20191001164505.16708-8-sashal@kernel.org> (raw)
In-Reply-To: <20191001164505.16708-1-sashal@kernel.org>
From: Bjørn Mork <bjorn@mork.no>
[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ]
Endpoints with zero wMaxPacketSize are not usable for transferring
data. Ignore such endpoints when looking for valid in, out and
status pipes, to make the driver more robust against invalid and
meaningless descriptors.
The wMaxPacketSize of the out pipe is used as divisor. So this change
fixes a divide-by-zero bug.
Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/cdc_ncm.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 7b158674ceeda..43e28d2b0de7f 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -679,8 +679,12 @@ cdc_ncm_find_endpoints(struct usbnet *dev, struct usb_interface *intf)
u8 ep;
for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) {
-
e = intf->cur_altsetting->endpoint + ep;
+
+ /* ignore endpoints which cannot transfer data */
+ if (!usb_endpoint_maxp(&e->desc))
+ continue;
+
switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
case USB_ENDPOINT_XFER_INT:
if (usb_endpoint_dir_in(&e->desc)) {
--
2.20.1
next parent reply other threads:[~2019-10-01 16:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191001164505.16708-1-sashal@kernel.org>
2019-10-01 16:44 ` Sasha Levin [this message]
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 09/19] usbnet: ignore endpoints with invalid wMaxPacketSize Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 10/19] net/phy: fix DP83865 10 Mbps HDX loopback disable function Sasha Levin
2019-10-01 16:44 ` [PATCH AUTOSEL 4.9 13/19] arcnet: provide a buffer big enough to actually receive packets Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 14/19] ppp: Fix memory leak in ppp_write Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 17/19] macsec: drop skb sk before calling gro_cells_receive Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 18/19] usbnet: sanity checking of packet sizes and device mtu Sasha Levin
2019-10-01 16:45 ` [PATCH AUTOSEL 4.9 19/19] sch_netem: fix a divide by zero in tabledist() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001164505.16708-8-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bjorn@mork.no \
--cc=jakub.kicinski@netronome.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).