diff mbox series

[SRU,Trusty,1/1] net: cdc_ether: fix divide by 0 on bad descriptors

Message ID 20181012114735.8366-2-kleber.souza@canonical.com
State New
Headers show
Series Fix for CVE-2017-16649 | expand

Commit Message

Kleber Sacilotto de Souza Oct. 12, 2018, 11:47 a.m. UTC 
From: Bjørn Mork <bjorn@mork.no>

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-16649
(backported from commit 2cb80187ba065d7decad7c6614e35e07aec8a974)
[ kleber: parsing code is organised differently ]
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 drivers/net/usb/cdc_ether.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Stefan Bader Oct. 12, 2018, 12:57 p.m. UTC | #1 
On 12.10.2018 13:47, Kleber Sacilotto de Souza wrote:
> From: Bjørn Mork <bjorn@mork.no>
> 
> Setting dev->hard_mtu to 0 will cause a divide error in
> usbnet_probe. Protect against devices with bogus CDC Ethernet
> functional descriptors by ignoring a zero wMaxSegmentSize.
> 
> Signed-off-by: Bjørn Mork <bjorn@mork.no>
> Acked-by: Oliver Neukum <oneukum@suse.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> CVE-2017-16649
> (backported from commit 2cb80187ba065d7decad7c6614e35e07aec8a974)
> [ kleber: parsing code is organised differently ]
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/net/usb/cdc_ether.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
> index 2023f3ea891e..f0a924258035 100644
> --- a/drivers/net/usb/cdc_ether.c
> +++ b/drivers/net/usb/cdc_ether.c
> @@ -237,8 +237,9 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
>  					info->ether->bLength);
>  				goto bad_desc;
>  			}
> -			dev->hard_mtu = le16_to_cpu(
> -						info->ether->wMaxSegmentSize);
> +			if (info->ether->wMaxSegmentSize)
> +				dev->hard_mtu = le16_to_cpu(
> +					info->ether->wMaxSegmentSize);
>  			/* because of Zaurus, we may be ignoring the host
>  			 * side link address we were given.
>  			 */
>
diff mbox series

Patch

diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 2023f3ea891e..f0a924258035 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -237,8 +237,9 @@  int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
 					info->ether->bLength);
 				goto bad_desc;
 			}
-			dev->hard_mtu = le16_to_cpu(
-						info->ether->wMaxSegmentSize);
+			if (info->ether->wMaxSegmentSize)
+				dev->hard_mtu = le16_to_cpu(
+					info->ether->wMaxSegmentSize);
 			/* because of Zaurus, we may be ignoring the host
 			 * side link address we were given.
 			 */