cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Endpoints with zero wMaxPacketSize are not usable for transferring
data. Ignore such endpoints when looking for valid in, out and
status pipes, to make the driver more robust against invalid and
meaningless descriptors.

The wMaxPacketSize of the out pipe is used as divisor. So this change
fixes a divide-by-zero bug.

Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>

authored by

Bjørn Mork and committed by

Jakub Kicinski 6 years ago 3fe4b335 7b09c2d0

+5 -1

1 changed file

expand all

drivers

net

usb

cdc_ncm.c

+5 -1

drivers/net/usb/cdc_ncm.c

··· 681 681 u8 ep; 682 682 683 683 for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) { 684 - 685 684 e = intf->cur_altsetting->endpoint + ep; 685 + 686 + /* ignore endpoints which cannot transfer data */ 687 + if (!usb_endpoint_maxp(&e->desc)) 688 + continue; 689 + 686 690 switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) { 687 691 case USB_ENDPOINT_XFER_INT: 688 692 if (usb_endpoint_dir_in(&e->desc)) {