[PATCH] net: can: esd_usb2: check index of array before accessing

[PATCH] net: can: esd_usb2: check index of array before accessing

[Marc Kleine-Budde]

From: Maximilian Schneider <max@schneidersoft.net>

The esd_usb2_read_bulk_callback() function is parsing the data that comes from
the USB CAN adapter. One datum is used as an index to access the dev->nets[]
array. This patch adds the missing bounds checking.

Cc: Matthias Fuchs <matthias.fuchs@esd.eu>
Signed-off-by: Maximilian Schneider <max@schneidersoft.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
Hello,

Maximilian, I've added a more detailed patch description and the error message
printing. What do you think.

Marc

 drivers/net/can/usb/esd_usb2.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
index 6aa7b32..ac6177d 100644
--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -412,10 +412,20 @@ static void esd_usb2_read_bulk_callback(struct urb *urb)
 
 		switch (msg->msg.hdr.cmd) {
 		case CMD_CAN_RX:
+			if (msg->msg.rx.net >= dev->net_count) {
+				dev_err(dev->udev->dev.parent, "format error\n");
+				break;
+			}
+
 			esd_usb2_rx_can_msg(dev->nets[msg->msg.rx.net], msg);
 			break;
 
 		case CMD_CAN_TX:
+			if (msg->msg.txdone.net >= dev->net_count) {
+				dev_err(dev->udev->dev.parent, "format error\n");
+				break;
+			}
+
 			esd_usb2_tx_done_msg(dev->nets[msg->msg.txdone.net],
 					     msg);
 			break;
-- 
1.8.3.1

Re: [PATCH] net: can: esd_usb2: check index of array before accessing

[Matthias Fuchs]

Hi,

did anybody encounter an issue with invalid net codes comming from the
device?

Well, you may add my

Acked-by: Matthias Fuchs <matthias.fuchs@esd.eu>

Matthias

On 03.07.2013 10:33, Marc Kleine-Budde wrote:
> From: Maximilian Schneider <max@schneidersoft.net>
> 
> The esd_usb2_read_bulk_callback() function is parsing the data that comes from
> the USB CAN adapter. One datum is used as an index to access the dev->nets[]
> array. This patch adds the missing bounds checking.
> 
> Cc: Matthias Fuchs <matthias.fuchs@esd.eu>
> Signed-off-by: Maximilian Schneider <max@schneidersoft.net>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ---
> Hello,
> 
> Maximilian, I've added a more detailed patch description and the error message
> printing. What do you think.
> 
> Marc
> 
>  drivers/net/can/usb/esd_usb2.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
> index 6aa7b32..ac6177d 100644
> --- a/drivers/net/can/usb/esd_usb2.c
> +++ b/drivers/net/can/usb/esd_usb2.c
> @@ -412,10 +412,20 @@ static void esd_usb2_read_bulk_callback(struct urb *urb)
>  
>  		switch (msg->msg.hdr.cmd) {
>  		case CMD_CAN_RX:
> +			if (msg->msg.rx.net >= dev->net_count) {
> +				dev_err(dev->udev->dev.parent, "format error\n");
> +				break;
> +			}
> +
>  			esd_usb2_rx_can_msg(dev->nets[msg->msg.rx.net], msg);
>  			break;
>  
>  		case CMD_CAN_TX:
> +			if (msg->msg.txdone.net >= dev->net_count) {
> +				dev_err(dev->udev->dev.parent, "format error\n");
> +				break;
> +			}
> +
>  			esd_usb2_tx_done_msg(dev->nets[msg->msg.txdone.net],
>  					     msg);
>  			break;
> 

Re: [PATCH] net: can: esd_usb2: check index of array before accessing

[Marc Kleine-Budde]

[-- Attachment #1: Type: text/plain, Size: 688 bytes --]

On 07/03/2013 12:00 PM, Matthias Fuchs wrote:
> did anybody encounter an issue with invalid net codes comming from the
> device?

No, but we should not trust data coming from the "outside" into the
kernel to be valid. I don't want to have a driver in the CAN subsystem
that may be used to exploit the kernel.

> Well, you may add my
> Acked-by: Matthias Fuchs <matthias.fuchs@esd.eu>

Thanks,
Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: [PATCH] net: can: esd_usb2: check index of array before accessing

[Max S.]

On Wed, 2013-07-03 at 12:00 +0200, Matthias Fuchs wrote:
> Hi,
> 
> did anybody encounter an issue with invalid net codes comming from the
> device?
Technically one could write a usb device that sends a bad
netcode/crafted message.

through 
esd_usb2_read_bulk_callback()
	esd_usb2_rx_can_msg(dev->nets[msg->msg.rx.net], msg);
	...
	esd_usb2_rx_event()
		...
		u8 state = msg->msg.rx.data[0];
		...
		priv->old_state = state;

one could write any u8 memory value to <255 past dev->nets.

... I think.

> 
> Well, you may add my
> 
> Acked-by: Matthias Fuchs <matthias.fuchs@esd.eu>
> 
> Matthias
> 
> On 03.07.2013 10:33, Marc Kleine-Budde wrote:
> > From: Maximilian Schneider <max@schneidersoft.net>
> > 
> > The esd_usb2_read_bulk_callback() function is parsing the data that comes from
> > the USB CAN adapter. One datum is used as an index to access the dev->nets[]
> > array. This patch adds the missing bounds checking.
> > 
> > Cc: Matthias Fuchs <matthias.fuchs@esd.eu>
> > Signed-off-by: Maximilian Schneider <max@schneidersoft.net>
:D
> > Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> > ---
> > Hello,
> > 
> > Maximilian, I've added a more detailed patch description and the error message
> > printing. What do you think. 
Looks good.

regards,
Max Schneider

Re: [PATCH] net: can: esd_usb2: check index of array before accessing

[Marc Kleine-Budde]

[-- Attachment #1: Type: text/plain, Size: 957 bytes --]

On 07/03/2013 01:51 PM, Max S. wrote:
> On Wed, 2013-07-03 at 12:00 +0200, Matthias Fuchs wrote:
>> Hi,
>>
>> did anybody encounter an issue with invalid net codes comming from the
>> device?
> Technically one could write a usb device that sends a bad
> netcode/crafted message.
> 
> through 
> esd_usb2_read_bulk_callback()
> 	esd_usb2_rx_can_msg(dev->nets[msg->msg.rx.net], msg);
> 	...
> 	esd_usb2_rx_event()
> 		...
> 		u8 state = msg->msg.rx.data[0];
> 		...
> 		priv->old_state = state;
> 
> one could write any u8 memory value to <255 past dev->nets.
> 
> ... I think.

Yes or crash the kernel by accessing bad memory, better safe then sorry.

Marc
-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: [PATCH] net: can: esd_usb2: check index of array before accessing

[Marc Kleine-Budde]

[-- Attachment #1: Type: text/plain, Size: 766 bytes --]

On 07/03/2013 02:51 PM, Matthias Fuchs wrote:
> On 03.07.2013 13:51, Max S. wrote:
>> On Wed, 2013-07-03 at 12:00 +0200, Matthias Fuchs wrote:
>>> Hi,
>>>
>>> did anybody encounter an issue with invalid net codes comming from the
>>> device?
>> Technically one could write a usb device that sends a bad
>> netcode/crafted message.
> 
> Yes of course. I only asked if somebody observed an issue with the real
> device.

There are no known issues with the real device.


Marc
-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]