From: Simon Horman <horms@kernel.org>
To: Foster Snowhill <forst@pen.gy>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Georgi Valkov <gvalkov@gmail.com>,
Oliver Neukum <oneukum@suse.com>,
netdev@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: [PATCH net-next 2/5] usbnet: ipheth: remove extraneous rx URB length check
Date: Fri, 9 Aug 2024 11:16:12 +0100 [thread overview]
Message-ID: <20240809101612.GJ3075665@kernel.org> (raw)
In-Reply-To: <20240806172809.675044-2-forst@pen.gy>
On Tue, Aug 06, 2024 at 07:28:06PM +0200, Foster Snowhill wrote:
> Rx URB length was already checked in ipheth_rcvbulk_callback_legacy()
> and ipheth_rcvbulk_callback_ncm(), depending on the current mode.
> The check in ipheth_rcvbulk_callback() was thus mostly a duplicate.
>
> The only place in ipheth_rcvbulk_callback() where we care about the URB
> length is for the initial control frame. These frames are always 4 bytes
> long. This has been checked as far back as iOS 4.2.1 on iPhone 3G.
>
> Remove the extraneous URB length check. For control frames, check for
> the specific 4-byte length instead.
Hi Foster,
I am slightly concerned what happens if a frame that does not match the
slightly stricter check in this patch, is now passed to
dev->rcvbulk_callback().
I see that observations have been made that this does not happen. But is
there no was to inject malicious packets, or for something to malfunction?
>
> Signed-off-by: Foster Snowhill <forst@pen.gy>
> Tested-by: Georgi Valkov <gvalkov@gmail.com>
> ---
> drivers/net/usb/ipheth.c | 8 ++------
> 1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
> index 6eeef10edada..017255615508 100644
> --- a/drivers/net/usb/ipheth.c
> +++ b/drivers/net/usb/ipheth.c
> @@ -286,11 +286,6 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
> return;
> }
>
> - if (urb->actual_length <= IPHETH_IP_ALIGN) {
> - dev->net->stats.rx_length_errors++;
> - return;
> - }
> -
> /* RX URBs starting with 0x00 0x01 do not encapsulate Ethernet frames,
> * but rather are control frames. Their purpose is not documented, and
> * they don't affect driver functionality, okay to drop them.
> @@ -298,7 +293,8 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
> * URB received from the bulk IN endpoint.
> */
> if (unlikely
> - (((char *)urb->transfer_buffer)[0] == 0 &&
> + (urb->actual_length == 4 &&
> + ((char *)urb->transfer_buffer)[0] == 0 &&
> ((char *)urb->transfer_buffer)[1] == 1))
> goto rx_submit;
>
> --
> 2.45.1
>
>
next prev parent reply other threads:[~2024-08-09 10:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-06 17:28 [PATCH net-next 1/5] usbnet: ipheth: race between ipheth_close and error handling Foster Snowhill
2024-08-06 17:28 ` [PATCH net-next 2/5] usbnet: ipheth: remove extraneous rx URB length check Foster Snowhill
2024-08-09 10:16 ` Simon Horman [this message]
2024-09-07 23:21 ` Foster Snowhill
2024-08-06 17:28 ` [PATCH net-next 3/5] usbnet: ipheth: drop RX URBs with no payload Foster Snowhill
2024-08-06 17:28 ` [PATCH net-next 4/5] usbnet: ipheth: do not stop RX on failing RX callback Foster Snowhill
2024-08-06 17:28 ` [PATCH net-next 5/5] usbnet: ipheth: fix carrier detection in modes 1 and 4 Foster Snowhill
2024-08-09 13:00 ` [PATCH net-next 1/5] usbnet: ipheth: race between ipheth_close and error handling patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240809101612.GJ3075665@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=forst@pen.gy \
--cc=gvalkov@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.