From patchwork Mon Nov 6 14:37:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Bj=C3=B8rn_Mork?= X-Patchwork-Id: 834771 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=mork.no header.i=@mork.no header.b="OjmnDl/Y"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yVwBx6Rxgz9s7B for ; Tue, 7 Nov 2017 01:37:45 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753614AbdKFOho (ORCPT ); Mon, 6 Nov 2017 09:37:44 -0500 Received: from canardo.mork.no ([148.122.252.1]:33927 "EHLO canardo.mork.no" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932173AbdKFOhl (ORCPT ); Mon, 6 Nov 2017 09:37:41 -0500 Received: from miraculix.mork.no ([IPv6:2a02:2121:305:5f9:34c0:14ff:fe74:3b2f]) (authenticated bits=0) by canardo.mork.no (8.15.2/8.15.2) with ESMTPSA id vA6EbWVj029700 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 6 Nov 2017 15:37:32 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b; t=1509979052; bh=Fy0SRyClxJe7Hrbc9XH0yQPFaqFldauR0OJmAYyYoV8=; h=From:To:Cc:Subject:Date:Message-Id:From; b=OjmnDl/YOSXxsQLs+SRh83iC4FvEZyjiQkKwGurP266dNK07nXCB7DN6CAXaVt3hG uG/Fhg9//OsbT9AJE9UvX2OSkYiy/Ed+JA8anzhu9wpiYkBgIw7L2QHCyQAB+ib1ia Bi29esAk0OL32vyXX1q/Gc+gNFnCpm5Lzc0JdNb4= Received: from bjorn by miraculix.mork.no with local (Exim 4.89) (envelope-from ) id 1eBiWk-0000pr-UG; Mon, 06 Nov 2017 15:37:26 +0100 From: =?utf-8?q?Bj=C3=B8rn_Mork?= To: netdev@vger.kernel.org Cc: linux-usb@vger.kernel.org, Oliver Neukum , Dmitry Vyukov , Kostya Serebryany , syzkaller@googlegroups.com, =?utf-8?q?Bj=C3=B8rn_Mork?= Subject: [PATCH net, stable] net: cdc_ether: fix divide by 0 on bad descriptors Date: Mon, 6 Nov 2017 15:37:22 +0100 Message-Id: <20171106143722.3171-1-bjorn@mork.no> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.99.2 at canardo X-Virus-Status: Clean Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. Signed-off-by: Bjørn Mork Acked-by: Oliver Neukum --- I believe the problem found by syzcaller in qmi_wwan also applies to cdc_ether. We cannot allow the .bind callback to set dev->hard_mtu to 0. drivers/net/usb/cdc_ether.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c index 3e7a3ac3a362..05dca3e5c93d 100644 --- a/drivers/net/usb/cdc_ether.c +++ b/drivers/net/usb/cdc_ether.c @@ -230,7 +230,7 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf) goto bad_desc; } - if (header.usb_cdc_ether_desc) { + if (header.usb_cdc_ether_desc && info->ether->wMaxSegmentSize) { dev->hard_mtu = le16_to_cpu(info->ether->wMaxSegmentSize); /* because of Zaurus, we may be ignoring the host * side link address we were given.