From patchwork Tue Apr 26 18:50:24 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petko Manolov <petkan@mip-labs.com>
X-Patchwork-Id: 615116
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3qvXGq2WxXz9t5X
	for <patchwork-incoming@ozlabs.org>;
	Wed, 27 Apr 2016 04:50:43 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	unprotected) header.d=mip-labs.com header.i=@mip-labs.com
	header.b=q/RLHXjp; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752533AbcDZSul (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 26 Apr 2016 14:50:41 -0400
Received: from lan.nucleusys.com ([92.247.61.126]:42250 "EHLO
	zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1752395AbcDZSuk (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 26 Apr 2016 14:50:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=mip-labs.com; s=x;
	h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From;
	bh=rbkI51XhVXgTvX9ck9nTuHXxjZ7khx1LSBRJxekaqbQ=;
	b=q/RLHXjpaDveRhIzambkf8jlRTfLvLgBuTNQrI4WeGzUMSHQB3pbw1SYGw6mgOncAZNFlUeHGjj2PQ4FXeODlxofZuki7J99qBfcb8RZckTt+fRt3Nl9OQh+UIty6eisXwzfO6yq4uFal6YhtcLIhM8pw2hLEnW/XWxY9kszHn8=;
Received: from 78-83-66-70.spectrumnet.bg ([78.83.66.70]
	helo=localhost.localdomain) by zztop.nucleusys.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_CBC_SHA256:128) (Exim 4.84_2)
	(envelope-from <petkan@mip-labs.com>)
	id 1av84A-0002Je-BG; Tue, 26 Apr 2016 21:50:34 +0300
From: Petko Manolov <petkan@mip-labs.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, petkan@mip-labs.com
Subject: [PATCH] Fixes buffer allocation size and the actual packet length;
Date: Tue, 26 Apr 2016 21:50:24 +0300
Message-Id: <1461696624-5373-2-git-send-email-petkan@mip-labs.com>
X-Mailer: git-send-email 2.8.0.rc3
In-Reply-To: <1461696624-5373-1-git-send-email-petkan@mip-labs.com>
References: <1461696624-5373-1-git-send-email-petkan@mip-labs.com>
X-Spam-Score: -1.0 (-)
X-Spam-Report: Spam detection software,
	running on the system "zztop.nucleusys.com",
	has NOT identified this incoming email as spam.  The original
	message has been attached to this so you can view it or label
	similar future email.  If you have any questions, see
	the administrator of that system for details.
	Content preview: usb_fill_bulk_urb() receives buffer length parameter
	8 bytes larger than what's allocated by alloc_skb();
	This seems to be a problem with
	older (pegasus usb-1.1) devices,
	which may silently return more data than
	the maximal packet length. [...]
	Content analysis details:   (-1.0 points, 5.0 required)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	0.0 TVD_RCVD_IP            Message was received from an IP address
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

usb_fill_bulk_urb() receives buffer length parameter 8 bytes larger
than what's allocated by alloc_skb(); This seems to be a problem with
older (pegasus usb-1.1) devices, which may silently return more data
than the maximal packet length.

Going through the chip's documentation i figured out the ethernet
packet is appended with 4 bytes of status data.  That's why we now
subtract 4 instead of 8 bytes from the reported packet length.

Reported-by: Lincoln Ramsay <a1291762@gmail.com>
Signed-off-by: Petko Manolov <petkan@mip-labs.com>
---
 drivers/net/usb/pegasus.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index f840802..780c217 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -497,7 +497,7 @@ static void read_bulk_callback(struct urb *urb)
 		pkt_len = buf[count - 3] << 8;
 		pkt_len += buf[count - 4];
 		pkt_len &= 0xfff;
-		pkt_len -= 8;
+		pkt_len -= 4;
 	}
 
 	/*
@@ -528,7 +528,7 @@ static void read_bulk_callback(struct urb *urb)
 goon:
 	usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb,
 			  usb_rcvbulkpipe(pegasus->usb, 1),
-			  pegasus->rx_skb->data, PEGASUS_MTU + 8,
+			  pegasus->rx_skb->data, PEGASUS_MTU,
 			  read_bulk_callback, pegasus);
 	rx_status = usb_submit_urb(pegasus->rx_urb, GFP_ATOMIC);
 	if (rx_status == -ENODEV)
@@ -569,7 +569,7 @@ static void rx_fixup(unsigned long data)
 	}
 	usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb,
 			  usb_rcvbulkpipe(pegasus->usb, 1),
-			  pegasus->rx_skb->data, PEGASUS_MTU + 8,
+			  pegasus->rx_skb->data, PEGASUS_MTU,
 			  read_bulk_callback, pegasus);
 try_again:
 	status = usb_submit_urb(pegasus->rx_urb, GFP_ATOMIC);
@@ -823,7 +823,7 @@ static int pegasus_open(struct net_device *net)
 
 	usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb,
 			  usb_rcvbulkpipe(pegasus->usb, 1),
-			  pegasus->rx_skb->data, PEGASUS_MTU + 8,
+			  pegasus->rx_skb->data, PEGASUS_MTU,
 			  read_bulk_callback, pegasus);
 	if ((res = usb_submit_urb(pegasus->rx_urb, GFP_KERNEL))) {
 		if (res == -ENODEV)