* [PATCHv2] CDC-NCM: handle incomplete transfer of MTU
@ 2019-11-07 8:48 Oliver Neukum
2019-11-07 8:48 ` [PATCH] " Oliver Neukum
2019-11-07 23:28 ` [PATCHv2] " David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Oliver Neukum @ 2019-11-07 8:48 UTC (permalink / raw)
To: davem, netdev; +Cc: Oliver Neukum
A malicious device may give half an answer when asked
for its MTU. The driver will proceed after this with
a garbage MTU. Anything but a complete answer must be treated
as an error.
V2: used sizeof as request by Alexander
Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/net/usb/cdc_ncm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 00cab3f43a4c..a245597a3902 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -578,8 +578,8 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
/* read current mtu value from device */
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
- 0, iface_no, &max_datagram_size, 2);
- if (err < 0) {
+ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
+ if (err < sizeof(max_datagram_size)) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
@@ -590,7 +590,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE,
- 0, iface_no, &max_datagram_size, 2);
+ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
if (err < 0)
dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n");
--
2.16.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] CDC-NCM: handle incomplete transfer of MTU
2019-11-07 8:48 [PATCHv2] CDC-NCM: handle incomplete transfer of MTU Oliver Neukum
@ 2019-11-07 8:48 ` Oliver Neukum
2019-11-07 23:28 ` [PATCHv2] " David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2019-11-07 8:48 UTC (permalink / raw)
To: davem, netdev; +Cc: Oliver Neukum
A malicious device may give half an answer when asked
for its MTU. The driver will proceed after this with
a garbage MTU. Anything but a complete answer must be treated
as an error.
V2: used sizeof as request by Alexander
Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/net/usb/cdc_ncm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 00cab3f43a4c..a245597a3902 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -578,8 +578,8 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
/* read current mtu value from device */
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
- 0, iface_no, &max_datagram_size, 2);
- if (err < 0) {
+ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
+ if (err < sizeof(max_datagram_size)) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
@@ -590,7 +590,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE,
- 0, iface_no, &max_datagram_size, 2);
+ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
if (err < 0)
dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n");
--
2.16.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCHv2] CDC-NCM: handle incomplete transfer of MTU
2019-11-07 8:48 [PATCHv2] CDC-NCM: handle incomplete transfer of MTU Oliver Neukum
2019-11-07 8:48 ` [PATCH] " Oliver Neukum
@ 2019-11-07 23:28 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2019-11-07 23:28 UTC (permalink / raw)
To: oneukum; +Cc: netdev
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 7 Nov 2019 09:48:01 +0100
> A malicious device may give half an answer when asked
> for its MTU. The driver will proceed after this with
> a garbage MTU. Anything but a complete answer must be treated
> as an error.
>
> V2: used sizeof as request by Alexander
>
> Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-07 23:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-07 8:48 [PATCHv2] CDC-NCM: handle incomplete transfer of MTU Oliver Neukum
2019-11-07 8:48 ` [PATCH] " Oliver Neukum
2019-11-07 23:28 ` [PATCHv2] " David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).