This is a note to let you know that I've just added the patch titled
net: cdc_ncm: fix buffer overflow
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-cdc_ncm-fix-buffer-overflow.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From foo@baz Wed May 28 21:03:54 PDT 2014
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <[email protected]>
Date: Fri, 2 May 2014 23:27:00 +0200
Subject: net: cdc_ncm: fix buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <[email protected]>
[ Upstream commit 9becd707841207652449a8dfd90fe9c476d88546 ]
Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs
if we send ZLPs") changed the padding logic for devices with the ZLP
flag set. This meant that frames of any size will be sent without
additional padding, except for the single byte added if the size is
a multiple of the USB packet size. But if the unpadded size is
identical to the maximum frame size, and the maximum size is a
multiplum of the USB packet size, then this one-byte padding will
overflow the buffer.
Prevent padding if already at maximum frame size, letting usbnet
transmit a ZLP instead in this case.
Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send
ZLPs")
Reported by: Yu-an Shih <[email protected]>
Signed-off-by: Bjørn Mork <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/usb/cdc_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -768,7 +768,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
skb_out->len > CDC_NCM_MIN_TX_PKT)
memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0,
ctx->tx_max - skb_out->len);
- else if ((skb_out->len % dev->maxpacket) == 0)
+ else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket)
== 0)
*skb_put(skb_out, 1) = 0; /* force short packet */
/* set final frame length */
Patches currently in stable-queue which might be from [email protected] are
queue-3.14/net-qmi_wwan-add-sierra-wireless-em7355.patch
queue-3.14/net-qmi_wwan-add-sierra-wireless-mc73xx.patch
queue-3.14/net-qmi_wwan-add-a-number-of-dell-devices.patch
queue-3.14/usb-option-add-olivetti-olicard-500.patch
queue-3.14/net-cdc_mbim-handle-unaccelerated-vlan-tagged-frames.patch
queue-3.14/usb-option-add-and-update-a-number-of-cmotech-devices.patch
queue-3.14/net-qmi_wwan-add-olivetti-olicard-500.patch
queue-3.14/net-qmi_wwan-add-alcatel-l800ma.patch
queue-3.14/usb-qcserial-add-sierra-wireless-em7355.patch
queue-3.14/net-qmi_wwan-add-a-number-of-cmotech-devices.patch
queue-3.14/usb-qcserial-add-sierra-wireless-mc7305-mc7355.patch
queue-3.14/usb-qcserial-add-sierra-wireless-mc73xx.patch
queue-3.14/net-cdc_ncm-fix-buffer-overflow.patch
queue-3.14/usb-option-add-alcatel-l800ma.patch
queue-3.14/net-cdc_mbim-__vlan_find_dev_deep-need-rcu_read_lock.patch
queue-3.14/net-qmi_wwan-add-sierra-wireless-mc7305-mc7355.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
