net: cdc_ncm: fix buffer overflow

[ Upstream commit 9becd707841207652449a8dfd90fe9c476d88546 ] Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") changed the padding logic for devices with the ZLP flag set. This meant that frames of any size will be sent without additional padding, except for the single byte added if the size is a multiple of the USB packet size. But if the unpadded size is identical to the maximum frame size, and the maximum size is a multiplum of the USB packet size, then this one-byte padding will overflow the buffer. Prevent padding if already at maximum frame size, letting usbnet transmit a ZLP instead in this case. Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") Reported by: Yu-an Shih <yshih@nvidia.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: cdc_ncm: fix buffer overflow
[ Upstream commit 9becd707841207652449a8dfd90fe9c476d88546 ] Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") changed the padding logic for devices with the ZLP flag set. This meant that frames of any size will be sent without additional padding, except for the single byte added if the size is a multiple of the USB packet size. But if the unpadded size is identical to the maximum frame size, and the maximum size is a multiplum of the USB packet size, then this one-byte padding will overflow the buffer. Prevent padding if already at maximum frame size, letting usbnet transmit a ZLP instead in this case. Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") Reported by: Yu-an Shih <yshih@nvidia.com> Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bjørn Mork · Greg Kroah-Hartman
1 parent 1b3ac8488e
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
drivers/net/usb/cdc_ncm.c
@@ -768,7 +768,7 @@
 	    skb_out->len > CDC_NCM_MIN_TX_PKT)
 		memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
 		       ctx->tx_max - skb_out->len);
-	else if ((skb_out->len % dev->maxpacket) == 0)
+	else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0)
 		*skb_put(skb_out, 1) = 0;	/* force short packet */
  
 	/* set final frame length */
...	...	@@ -768,7 +768,7 @@
768	768	skb_out->len > CDC_NCM_MIN_TX_PKT)
769	769	memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
770	770	ctx->tx_max - skb_out->len);
771		- else if ((skb_out->len % dev->maxpacket) == 0)
	771	+ else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0)
772	772	skb_put(skb_out, 1) = 0; / force short packet */
773	773
774	774	/* set final frame length */