Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 332f989a authored by Oliver Neukum's avatar Oliver Neukum Committed by David S. Miller
Browse files

CDC-NCM: handle incomplete transfer of MTU 



A malicious device may give half an answer when asked
for its MTU. The driver will proceed after this with
a garbage MTU. Anything but a complete answer must be treated
as an error.

V2: used sizeof as request by Alexander

Reported-and-tested-by: default avatar <syzbot+0631d878823ce2411636@syzkaller.appspotmail.com>
Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 025ec40b

drivers/net/usb/cdc_ncm.c

+3 −3
Original line number Diff line number Diff line
@@ -578,8 +578,8 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size) 
	/* read current mtu value from device */

	err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,

			      USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,

			      0, iface_no, &max_datagram_size, 2);

	if (err < 0) {

			      0, iface_no, &max_datagram_size, sizeof(max_datagram_size));

	if (err < sizeof(max_datagram_size)) {

		dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");

		goto out;

	}
@@ -590,7 +590,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size) 
	max_datagram_size = cpu_to_le16(ctx->max_datagram_size);

	err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE,

			       USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE,

			       0, iface_no, &max_datagram_size, 2);

			       0, iface_no, &max_datagram_size, sizeof(max_datagram_size));

	if (err < 0)

		dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n");