From: bugzilla-daemon@bugzilla.kernel.org
To: linux-usb@vger.kernel.org
Subject: [Bug 209407] cdc_ncm_fill_tx_frame calls memset with huge length when called from cdc_mbim_tx_fixup
Date: Fri, 01 Jan 2021 16:25:06 +0000 [thread overview]
Message-ID: <bug-209407-208809-LJamfKQL4n@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-209407-208809@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=209407
--- Comment #8 from Jouni Seppänen (jks@iki.fi) ---
I can't claim to understand what all the code in these files does, but I
noticed a couple of things:
The functions cdc_ncm_ndp16 and cdc_ncm_ndp32 include this check:
/* verify that there is room for the NDP and the datagram (reserve) */
if ((ctx->tx_curr_size - skb->len - reserve) < ctx->max_ndp_size)
return NULL;
I think the types on the left-hand side of the comparison are as follows:
struct cdc_ncm_ctx {
...
u32 tx_curr_size;
...
}
struct sk_buff {
...
unsigned int len,
data_len;
...
}
static struct usb_cdc_ncm_ndp16 *cdc_ncm_ndp16(..., size_t reserve)
Each type is unsigned, so if skb->len + reserve ever happens to be greater than
ctx->tx_curr_size, the subtraction would result in a large number and the
comparison would almost certainly yield false.
Another thing: there seems to be a set of constants referring to 16/32 bit
quantities, and quantities of the same size seem to go together. For example,
when cdc_ncm_tx_fixup calls cdc_ncm_fill_tx_frame, it chooses the sign argument
like so:
if (ctx->is_ndp16)
skb_out = cdc_ncm_fill_tx_frame(dev, skb,
cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN));
else
skb_out = cdc_ncm_fill_tx_frame(dev, skb,
cpu_to_le32(USB_CDC_NCM_NDP32_NOCRC_SIGN));
But when cdc_mbim_tx_fixup calls cdc_ncm_fill_tx_frame, the sign argument is
either cpu_to_le32(USB_CDC_MBIM_NDP16_IPS_SIGN) or
cpu_to_le32(USB_CDC_MBIM_NDP16_DSS_SIGN). The constants
USB_CDC_MBIM_NDP32_IPS_SIGN and USB_CDC_MBIM_NDP32_DSS_SIGN are defined in
include/uapi/linux/usb/cdc.h but neither seems to be used anywhere in the
kernel.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2021-01-01 16:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-27 15:34 [Bug 209407] New: skb_over_panic in cdc_mbim_tx_fixup bugzilla-daemon
2020-12-31 6:05 ` [Bug 209407] " bugzilla-daemon
2020-12-31 12:20 ` bugzilla-daemon
2021-01-01 8:29 ` bugzilla-daemon
2021-01-01 9:52 ` bugzilla-daemon
2021-01-01 16:25 ` bugzilla-daemon [this message]
2021-01-03 15:02 ` [Bug 209407] cdc_ncm_fill_tx_frame calls memset with huge length when called from cdc_mbim_tx_fixup bugzilla-daemon
2021-01-22 12:20 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-209407-208809-LJamfKQL4n@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).