projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 192d115)
net: lan78xx: fix division by zero in send path
authorJohan Hovold <johan@kernel.org>
Tue, 26 Oct 2021 10:36:17 +0000 (12:36 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 2 Nov 2021 17:25:12 +0000 (18:25 +0100)
commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in lan78xx_tx_bh() in case a malicious device has
broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org # 4.3
Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/usb/lan78xx.c patch | blob | blame | history

diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index ff108611c5e486c55cff16e6dfe78450c321f396..1b30636c8bc73d858e5531e172881fcbbbdd0531 100644 (file)
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3615,6 +3615,12 @@ static int lan78xx_probe(struct usb_interface *intf,
 
        dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1);
 
+       /* Reject broken descriptors. */
+       if (dev->maxpacket == 0) {
+               ret = -ENODEV;
+               goto out4;
+       }
+
        /* driver requires remote-wakeup capability during autosuspend. */
        intf->needs_remote_wakeup = 1;