From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A583C248886; Sat, 11 Apr 2026 10:53:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775904821; cv=none; b=nlWgCXtHr+DUeSUa7mWo1fj964ItwCEI/U+i2U0ziLBKEkHnVXQGvwL7m1qsNYohWCCgRNeB+hLdI58SHryqjK4MIylXwIcuYuFhUlLnFYV9T6Nj7ZWNjGrvfPOFntkmfHeHjcTdhVElUV5BjgJljQsBWuE66pZFAymXLElbAcc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775904821; c=relaxed/simple; bh=qYTSkRz7NplvE+99a9CYOj7zPsVlqUzfO2SlX2wFwKY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=f5DYMaCS/l64aSZz+gKPyavJCoixT2ogBVdxRnf9DApT1HirSQTEXhNXEjbaM1sLXBhYdyHKUxBLCL3Lqr78tTo8tcTc/gIxo66TnjtcgTNKkzWULS4ucNIQhSP7sj1500DnF6mgPCVIbd+LVAWi/fzTr9eYMCKBS5jzz0jDZuc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=QJMvB2Eo; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="QJMvB2Eo" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C959EC4CEF7; Sat, 11 Apr 2026 10:53:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775904821; bh=qYTSkRz7NplvE+99a9CYOj7zPsVlqUzfO2SlX2wFwKY=; h=From:To:Cc:Subject:Date:From; b=QJMvB2EoJ4sxUVOeQCH8iz/bBIQOkxxCQQSNYgDC30Yl7T5EUL3AcbvHaVa0kSP0u 2TQBiOEXs/2dFadYRg9yMWpjSQIdB/0hZA1sz4jGgj2i4+NlEP7McYfzgXayfeXqDq wXPs0hPpBqyZCwu6FnwWmyRrZgyb7tElwPc847aI= From: Greg Kroah-Hartman To: linux-usb@vger.kernel.org, netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Oliver Neukum , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , stable Subject: [PATCH net] net: usb: cdc_ncm: reject negative chained NDP offsets Date: Sat, 11 Apr 2026 12:53:38 +0200 Message-ID: <2026041137-comfy-eaten-a1ed@gregkh> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1677; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=qYTSkRz7NplvE+99a9CYOj7zPsVlqUzfO2SlX2wFwKY=; b=owGbwMvMwCRo6H6F97bub03G02pJDJm3NAwvJiVdt/9s/19ubYypR2OX86Kpgo5Pnq638ZazZ tZ+deN5RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAFzkEMP8gDk+O5T+Te4yT30W lvdgxpV4742aDPPDr6fqTVpk/e3Bv3bBW6xb+MpmOnQAAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit cdc_ncm_rx_fixup() reads dwNextNdpIndex from each NDP32 to chain to the next one. The 32-bit value from the device is stored into the signed int ndpoffset so that means values with the high bit set become negative. The first time this is read, the value is properly tested for a negative value BUT the next time through the loop, this type of check is missed entirely. Fix this up by checking for a negative value when dwNextNdpIndex is read again in the bottom of the loop to match the top check. Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a similar signed-overflow issue in the datagram offset checks of the same function. Cc: Oliver Neukum Cc: Andrew Lunn Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Fixes: 0fa81b304a79 ("cdc_ncm: Implement the 32-bit version of NCM Transfer Block") Cc: stable Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/cdc_ncm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index bb9929727eb9..b2d08c4aae54 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -1835,7 +1835,7 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) else ndpoffset = le32_to_cpu(ndp.ndp32->dwNextNdpIndex); - if (ndpoffset && loopcount--) + if (ndpoffset > 0 && loopcount--) goto next_ndp; /* update stats */ -- 2.53.0