lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <063D6719AE5E284EB5DD2968C1650D6D45B28F@AcuExch.aculab.com>
Date:	Tue, 14 Jan 2014 11:16:02 +0000
From:	David Laight <David.Laight@...LAB.COM>
To:	netdev <netdev@...r.kernel.org>
Subject: [PATCH] usbnet: Fix dma setup for fragmented packets that need a
 pad byte appended.

If the usbnet code appends a byte to a fragmented packet (in order to avoid
sending a bulk data message that is a multiple of the USB message size) then
the scatter-gather list isn't initialised correctly.
This causes a later panic in usb_hcd_map_urb_for_dma().
Basically when the code tries to access the final sg fragment the sg function
returns NULL because the 'end of sg list' market is set in the previous one.

Bug introduced in commit 60e453a940ac678565b6641d65f8c18541bb9f28
(USBNET: fix handling padding packet) and needs applying to all
kernels that contain this change (including 3.12).

Fix from Bjorn Mork.

Signed-off-by: David Laight <david.laight@...lab.com>
---

I think it is ok that the sg table's last element is never assigned to when
the packet isn't padded.

 drivers/net/usb/usbnet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 8494bb5..aba04f5 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1245,7 +1245,7 @@ static int build_dma_sg(const struct sk_buff *skb, struct urb *urb)
 		return -ENOMEM;
 
 	urb->num_sgs = num_sgs;
-	sg_init_table(urb->sg, urb->num_sgs);
+	sg_init_table(urb->sg, urb->num_sgs + 1);
 
 	sg_set_buf(&urb->sg[s++], skb->data, skb_headlen(skb));
 	total_len += skb_headlen(skb);
-- 
1.8.1.2



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ