From: Greg KH <gregKH@linuxfoundation.org>
To: Oliver Neukum <oneukum@suse.com>
Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org,
linux-usb@vger.kernel.org
Subject: Re: [PATCH] CDC-NCM: avoid overflow in sanity checking
Date: Tue, 15 Feb 2022 14:30:49 +0100 [thread overview]
Message-ID: <YgurCSqIL/VkaBmR@kroah.com> (raw)
In-Reply-To: <20220215103547.29599-1-oneukum@suse.com>
On Tue, Feb 15, 2022 at 11:35:47AM +0100, Oliver Neukum wrote:
> A broken device may give an extreme offset like 0xFFF0
> and a reasonable length for a fragment. In the sanity
> check as formulated now, this will create an integer
> overflow, defeating the sanity check. Both offset
> and offset + len need to be checked in such a manner
> that no overflow can occur.
> And those quantities should be unsigned.
>
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
> drivers/net/usb/cdc_ncm.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
> index e303b522efb5..15f91d691bba 100644
> --- a/drivers/net/usb/cdc_ncm.c
> +++ b/drivers/net/usb/cdc_ncm.c
> @@ -1715,10 +1715,10 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in)
> {
> struct sk_buff *skb;
> struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0];
> - int len;
> + unsigned int len;
> int nframes;
> int x;
> - int offset;
> + unsigned int offset;
> union {
> struct usb_cdc_ncm_ndp16 *ndp16;
> struct usb_cdc_ncm_ndp32 *ndp32;
> @@ -1790,8 +1790,8 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in)
> break;
> }
>
> - /* sanity checking */
> - if (((offset + len) > skb_in->len) ||
> + /* sanity checking - watch out for integer wrap*/
> + if ((offset > skb_in->len) || (len > skb_in->len - offset) ||
> (len > ctx->rx_max) || (len < ETH_HLEN)) {
> netif_dbg(dev, rx_err, dev->net,
> "invalid frame detected (ignored) offset[%u]=%u, length=%u, skb=%p\n",
> --
> 2.34.1
>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
next prev parent reply other threads:[~2022-02-15 13:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-15 10:35 [PATCH] CDC-NCM: avoid overflow in sanity checking Oliver Neukum
2022-02-15 13:30 ` Greg KH [this message]
2022-02-15 15:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YgurCSqIL/VkaBmR@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oneukum@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.