From patchwork Wed Apr 27 11:24:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petko Manolov X-Patchwork-Id: 615559 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3qvyL71prtz9sdn for ; Wed, 27 Apr 2016 21:25:02 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=mip-labs.com header.i=@mip-labs.com header.b=L9qmOKNu; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752316AbcD0LZB (ORCPT ); Wed, 27 Apr 2016 07:25:01 -0400 Received: from lan.nucleusys.com ([92.247.61.126]:42498 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751019AbcD0LY7 (ORCPT ); Wed, 27 Apr 2016 07:24:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mip-labs.com; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=Es7qLtsNqCiOVSmIFqvf96FGDuHrLK1I+Dz5khhpDmI=; b=L9qmOKNuTzUFdLSD7PkIWBu5y3pTcA/rpZd5OakH7G8pSZ/Ts8fk8700PVvb9gkj9rEipap0DFJjfyY7ZSly+32u9H+je1CaLaZ/ci6BWBy9EG8ZG5I9GpaDuk4uygHVOWP/cJuKU/DEViRJTGPH1Y0mFLooHndHqyyayiKAobw=; Received: from 78-83-66-70.spectrumnet.bg ([78.83.66.70] helo=localhost.localdomain) by zztop.nucleusys.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_CBC_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1avNaQ-0003C6-Rr; Wed, 27 Apr 2016 14:24:55 +0300 From: Petko Manolov To: netdev@vger.kernel.org Cc: davem@davemloft.net, a1291762@gmail.com, johannes@sipsolutions.net, Petko Manolov Subject: [PATCH v3 1/2] pegasus: fixes URB buffer allocation size; Date: Wed, 27 Apr 2016 14:24:49 +0300 Message-Id: <1461756290-27421-2-git-send-email-petkan@mip-labs.com> X-Mailer: git-send-email 2.8.0.rc3 In-Reply-To: <1461756290-27421-1-git-send-email-petkan@mip-labs.com> References: <1461756290-27421-1-git-send-email-petkan@mip-labs.com> X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: usb_fill_bulk_urb() receives buffer length parameter 8 bytes larger than what's allocated by alloc_skb(); This seems to be a problem with older (pegasus usb-1.1) devices, which may silently return more data than the maximal packet length. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.0 TVD_RCVD_IP Message was received from an IP address Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org usb_fill_bulk_urb() receives buffer length parameter 8 bytes larger than what's allocated by alloc_skb(); This seems to be a problem with older (pegasus usb-1.1) devices, which may silently return more data than the maximal packet length. Reported-by: Lincoln Ramsay Signed-off-by: Petko Manolov --- drivers/net/usb/pegasus.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c index f840802..f919e20 100644 --- a/drivers/net/usb/pegasus.c +++ b/drivers/net/usb/pegasus.c @@ -528,7 +528,7 @@ static void read_bulk_callback(struct urb *urb) goon: usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb, usb_rcvbulkpipe(pegasus->usb, 1), - pegasus->rx_skb->data, PEGASUS_MTU + 8, + pegasus->rx_skb->data, PEGASUS_MTU, read_bulk_callback, pegasus); rx_status = usb_submit_urb(pegasus->rx_urb, GFP_ATOMIC); if (rx_status == -ENODEV) @@ -569,7 +569,7 @@ static void rx_fixup(unsigned long data) } usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb, usb_rcvbulkpipe(pegasus->usb, 1), - pegasus->rx_skb->data, PEGASUS_MTU + 8, + pegasus->rx_skb->data, PEGASUS_MTU, read_bulk_callback, pegasus); try_again: status = usb_submit_urb(pegasus->rx_urb, GFP_ATOMIC); @@ -823,7 +823,7 @@ static int pegasus_open(struct net_device *net) usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb, usb_rcvbulkpipe(pegasus->usb, 1), - pegasus->rx_skb->data, PEGASUS_MTU + 8, + pegasus->rx_skb->data, PEGASUS_MTU, read_bulk_callback, pegasus); if ((res = usb_submit_urb(pegasus->rx_urb, GFP_KERNEL))) { if (res == -ENODEV)