| From foo@baz Wed May 28 21:03:54 PDT 2014 |
| From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> |
| Date: Fri, 2 May 2014 23:27:00 +0200 |
| Subject: net: cdc_ncm: fix buffer overflow |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no> |
| |
| [ Upstream commit 9becd707841207652449a8dfd90fe9c476d88546 ] |
| |
| Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs |
| if we send ZLPs") changed the padding logic for devices with the ZLP |
| flag set. This meant that frames of any size will be sent without |
| additional padding, except for the single byte added if the size is |
| a multiple of the USB packet size. But if the unpadded size is |
| identical to the maximum frame size, and the maximum size is a |
| multiplum of the USB packet size, then this one-byte padding will |
| overflow the buffer. |
| |
| Prevent padding if already at maximum frame size, letting usbnet |
| transmit a ZLP instead in this case. |
| |
| Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") |
| Reported by: Yu-an Shih <yshih@nvidia.com> |
| Signed-off-by: BjΓΈrn Mork <bjorn@mork.no> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/usb/cdc_ncm.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/net/usb/cdc_ncm.c |
| +++ b/drivers/net/usb/cdc_ncm.c |
| @@ -768,7 +768,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev |
| skb_out->len > CDC_NCM_MIN_TX_PKT) |
| memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0, |
| ctx->tx_max - skb_out->len); |
| - else if ((skb_out->len % dev->maxpacket) == 0) |
| + else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0) |
| *skb_put(skb_out, 1) = 0; /* force short packet */ |
| |
| /* set final frame length */ |