From 55cd2de30dfe8d85a591976e39eeec4722ba0119 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= Date: Mon, 22 Oct 2012 10:56:32 +0000 Subject: [PATCH] --- yaml --- r: 340439 b: refs/heads/master c: 75d67d354f7c9bcaaee3dd30a627d8e34d068205 h: refs/heads/master i: 340437: fc2f3c16e34891faa2dee6f743cf9207c7772d79 340435: 7be6763cf5e1841ced3040f7af5a7ae57c6e3daa 340431: 192d728b41f1c0798afeaf647038f4e493ac9c9c v: v3 --- [refs] | 2 +- trunk/drivers/net/usb/cdc_ncm.c | 35 ++++++++++++++++++++------------- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/[refs] b/[refs] index 6ad34dacf96e..dc5456a81ae0 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 38396e4c2984bf87283c2cda2c6aefa5876639dd +refs/heads/master: 75d67d354f7c9bcaaee3dd30a627d8e34d068205 diff --git a/trunk/drivers/net/usb/cdc_ncm.c b/trunk/drivers/net/usb/cdc_ncm.c index 643e643392fe..34069346544f 100644 --- a/trunk/drivers/net/usb/cdc_ncm.c +++ b/trunk/drivers/net/usb/cdc_ncm.c @@ -977,6 +977,8 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) struct usb_cdc_ncm_nth16 *nth16; struct usb_cdc_ncm_ndp16 *ndp16; struct usb_cdc_ncm_dpe16 *dpe16; + int ndpoffset; + int loopcount = 50; /* arbitrary max preventing infinite loop */ if (ctx == NULL) goto error; @@ -1010,25 +1012,24 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) } ctx->rx_seq = le16_to_cpu(nth16->wSequence); - len = le16_to_cpu(nth16->wNdpIndex); - if ((len + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { - pr_debug("invalid DPT16 index <%u>\n", - le16_to_cpu(nth16->wNdpIndex)); + ndpoffset = le16_to_cpu(nth16->wNdpIndex); +next_ndp: + if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) { + pr_debug("invalid NDP offset <%u>\n", ndpoffset); goto error; } - - ndp16 = (struct usb_cdc_ncm_ndp16 *)(((u8 *)skb_in->data) + len); + ndp16 = (struct usb_cdc_ncm_ndp16 *)(skb_in->data + ndpoffset); if (le32_to_cpu(ndp16->dwSignature) != USB_CDC_NCM_NDP16_NOCRC_SIGN) { pr_debug("invalid DPT16 signature <%u>\n", le32_to_cpu(ndp16->dwSignature)); - goto error; + goto err_ndp; } if (le16_to_cpu(ndp16->wLength) < USB_CDC_NCM_NDP16_LENGTH_MIN) { pr_debug("invalid DPT16 length <%u>\n", le32_to_cpu(ndp16->dwSignature)); - goto error; + goto err_ndp; } nframes = ((le16_to_cpu(ndp16->wLength) - @@ -1036,15 +1037,15 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) sizeof(struct usb_cdc_ncm_dpe16)); nframes--; /* we process NDP entries except for the last one */ - len += sizeof(struct usb_cdc_ncm_ndp16); + ndpoffset += sizeof(struct usb_cdc_ncm_ndp16); - if ((len + nframes * (sizeof(struct usb_cdc_ncm_dpe16))) > + if ((ndpoffset + nframes * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) { pr_debug("Invalid nframes = %d\n", nframes); - goto error; + goto err_ndp; } - dpe16 = (struct usb_cdc_ncm_dpe16 *)(((u8 *)skb_in->data) + len); + dpe16 = (struct usb_cdc_ncm_dpe16 *)(skb_in->data + ndpoffset); for (x = 0; x < nframes; x++, dpe16++) { offset = le16_to_cpu(dpe16->wDatagramIndex); @@ -1056,7 +1057,7 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) */ if ((offset == 0) || (len == 0)) { if (!x) - goto error; /* empty NTB */ + goto err_ndp; /* empty NTB */ break; } @@ -1067,7 +1068,7 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) "offset[%u]=%u, length=%u, skb=%p\n", x, offset, len, skb_in); if (!x) - goto error; + goto err_ndp; break; } else { @@ -1080,6 +1081,12 @@ static int cdc_ncm_rx_fixup(struct usbnet *dev, struct sk_buff *skb_in) usbnet_skb_return(dev, skb); } } +err_ndp: + /* are there more NDPs to process? */ + ndpoffset = le16_to_cpu(ndp16->wNextNdpIndex); + if (ndpoffset && loopcount--) + goto next_ndp; + return 1; error: return 0;