[PATCH AUTOSEL 5.15 26/28] CDC-NCM: avoid overflow in sanity checking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Oliver Neukum <oneukum@suse.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"David S . Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>,
	oliver@neukum.org, kuba@kernel.org, linux-usb@vger.kernel.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 26/28] CDC-NCM: avoid overflow in sanity checking
Date: Tue, 22 Feb 2022 21:29:27 -0500	[thread overview]
Message-ID: <20220223022929.241127-26-sashal@kernel.org> (raw)
In-Reply-To: <20220223022929.241127-1-sashal@kernel.org>

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit 8d2b1a1ec9f559d30b724877da4ce592edc41fdc ]

A broken device may give an extreme offset like 0xFFF0
and a reasonable length for a fragment. In the sanity
check as formulated now, this will create an integer
overflow, defeating the sanity check. Both offset
and offset + len need to be checked in such a manner
that no overflow can occur.
And those quantities should be unsigned.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/cdc_ncm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index e303b522efb50..15f91d691bba3 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -1715,10 +1715,10 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in)
 {
 	struct sk_buff *skb;
 	struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0];
-	int len;
+	unsigned int len;
 	int nframes;
 	int x;
-	int offset;
+	unsigned int offset;
 	union {
 		struct usb_cdc_ncm_ndp16 *ndp16;
 		struct usb_cdc_ncm_ndp32 *ndp32;
@@ -1790,8 +1790,8 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in)
 			break;
 		}
 
-		/* sanity checking */
-		if (((offset + len) > skb_in->len) ||
+		/* sanity checking - watch out for integer wrap*/
+		if ((offset > skb_in->len) || (len > skb_in->len - offset) ||
 				(len > ctx->rx_max) || (len < ETH_HLEN)) {
 			netif_dbg(dev, rx_err, dev->net,
 				  "invalid frame detected (ignored) offset[%u]=%u, length=%u, skb=%p\n",
-- 
2.34.1

next prev parent reply	other threads:[~2022-02-23  2:33 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-23  2:29 [PATCH AUTOSEL 5.15 01/28] mac80211_hwsim: report NOACK frames in tx_status Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 02/28] mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 03/28] i2c: bcm2835: Avoid clock stretching timeouts Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 04/28] ASoC: rt5668: do not block workqueue if card is unbound Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 05/28] ASoC: rt5682: " Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 06/28] regulator: core: fix false positive in regulator_late_cleanup() Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 07/28] Input: clear BTN_RIGHT/MIDDLE on buttonpads Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 08/28] btrfs: get rid of warning on transaction commit when using flushoncommit Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 09/28] KVM: arm64: vgic: Read HW interrupt pending state from the HW Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 10/28] block: loop:use kstatfs.f_bsize of backing file to set discard granularity Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 11/28] tipc: fix a bit overflow in tipc_crypto_key_rcv() Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 12/28] cifs: do not use uninitialized data in the owner/group sid Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 13/28] cifs: fix double free race when mount fails in cifs_get_root() Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 14/28] USB: zaurus: support another broken Zaurus Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 15/28] HID: amd_sfh: Handle amd_sfh work buffer in PM ops Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 16/28] HID: amd_sfh: Add functionality to clear interrupts Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 17/28] HID: amd_sfh: Add interrupt handler to process interrupts Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 18/28] cifs: modefromsids must add an ACE for authenticated users Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 19/28] selftests/seccomp: Fix seccomp failure by adding missing headers Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 20/28] drm/amd/pm: correct UMD pstate clocks for Dimgrey Cavefish and Beige Goby Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29   ` Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 21/28] selftests/ftrace: Do not trace do_softirq because of PREEMPT_RT Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 22/28] dmaengine: shdma: Fix runtime PM imbalance on error Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 23/28] i2c: cadence: allow COMPILE_TEST Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 24/28] i2c: imx: " Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 25/28] i2c: qup: " Sasha Levin
2022-02-23  2:29 ` Sasha Levin [this message]
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 27/28] net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 Sasha Levin
2022-02-23  2:29 ` [PATCH AUTOSEL 5.15 28/28] block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e303b522efb5 dfblob:15f91d691bba )
 OR (
bs:"[PATCH AUTOSEL 5.15 26/28] CDC-NCM: avoid overflow in sanity checking" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220223022929.241127-26-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=oliver@neukum.org \
    --cc=oneukum@suse.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.