[PATCH net,stable] net: cdc_ncm: fix buffer overflow

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Bjørn Mork" <bjorn@mork.no>
To: netdev@vger.kernel.org
Cc: linux-usb@vger.kernel.org,
	"Alexey Orishko" <alexey.orishko@gmail.com>,
	"Oliver Neukum" <oliver@neukum.org>, "Bjørn Mork" <bjorn@mork.no>
Subject: [PATCH net,stable] net: cdc_ncm: fix buffer overflow
Date: Fri,  2 May 2014 23:27:00 +0200	[thread overview]
Message-ID: <1399066020-22748-1-git-send-email-bjorn@mork.no> (raw)

Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs
if we send ZLPs") changed the padding logic for devices with the ZLP
flag set.  This meant that frames of any size will be sent without
additional padding, except for the single byte added if the size is
a multiple of the USB packet size. But if the unpadded size is
identical to the maximum frame size, and the maximum size is a
multiplum of the USB packet size, then this one-byte padding will
overflow the buffer.

Prevent padding if already at maximum frame size, letting usbnet
transmit a ZLP instead in this case.

Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs")
Reported by: Yu-an Shih <yshih@nvidia.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
Please add this to the stable v3.13 and v3.14 queues as well.  Thanks.

 drivers/net/usb/cdc_ncm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 549dbac710ed..9a2bd11943eb 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -785,7 +785,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
 	    skb_out->len > CDC_NCM_MIN_TX_PKT)
 		memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
 		       ctx->tx_max - skb_out->len);
-	else if ((skb_out->len % dev->maxpacket) == 0)
+	else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0)
 		*skb_put(skb_out, 1) = 0;	/* force short packet */

 	/* set final frame length */
-- 
2.0.0.rc0

next             reply	other threads:[~2014-05-02 21:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-02 21:27 Bjørn Mork [this message]
2014-05-05 19:20 ` [PATCH net,stable] net: cdc_ncm: fix buffer overflow David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:549dbac710e dfblob:9a2bd11943e )
 OR (
bs:"[PATCH net,stable] net: cdc_ncm: fix buffer overflow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1399066020-22748-1-git-send-email-bjorn@mork.no \
    --to=bjorn@mork.no \
    --cc=alexey.orishko@gmail.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=oliver@neukum.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).