| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240809101612.GJ3075665@kernel.org>
Date: Fri, 9 Aug 2024 11:16:12 +0100
From: Simon Horman <horms@...nel.org>
To: Foster Snowhill <forst@....gy>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Georgi Valkov <gvalkov@...il.com>, Oliver Neukum <oneukum@...e.com>,
netdev@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: [PATCH net-next 2/5] usbnet: ipheth: remove extraneous rx URB
length check
On Tue, Aug 06, 2024 at 07:28:06PM +0200, Foster Snowhill wrote:
> Rx URB length was already checked in ipheth_rcvbulk_callback_legacy()
> and ipheth_rcvbulk_callback_ncm(), depending on the current mode.
> The check in ipheth_rcvbulk_callback() was thus mostly a duplicate.
>
> The only place in ipheth_rcvbulk_callback() where we care about the URB
> length is for the initial control frame. These frames are always 4 bytes
> long. This has been checked as far back as iOS 4.2.1 on iPhone 3G.
>
> Remove the extraneous URB length check. For control frames, check for
> the specific 4-byte length instead.
Hi Foster,
I am slightly concerned what happens if a frame that does not match the
slightly stricter check in this patch, is now passed to
dev->rcvbulk_callback().
I see that observations have been made that this does not happen. But is
there no was to inject malicious packets, or for something to malfunction?
>
> Signed-off-by: Foster Snowhill <forst@....gy>
> Tested-by: Georgi Valkov <gvalkov@...il.com>
> ---
> drivers/net/usb/ipheth.c | 8 ++------
> 1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
> index 6eeef10edada..017255615508 100644
> --- a/drivers/net/usb/ipheth.c
> +++ b/drivers/net/usb/ipheth.c
> @@ -286,11 +286,6 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
> return;
> }
>
> - if (urb->actual_length <= IPHETH_IP_ALIGN) {
> - dev->net->stats.rx_length_errors++;
> - return;
> - }
> -
> /* RX URBs starting with 0x00 0x01 do not encapsulate Ethernet frames,
> * but rather are control frames. Their purpose is not documented, and
> * they don't affect driver functionality, okay to drop them.
> @@ -298,7 +293,8 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
> * URB received from the bulk IN endpoint.
> */
> if (unlikely
> - (((char *)urb->transfer_buffer)[0] == 0 &&
> + (urb->actual_length == 4 &&
> + ((char *)urb->transfer_buffer)[0] == 0 &&
> ((char *)urb->transfer_buffer)[1] == 1))
> goto rx_submit;
>
> --
> 2.45.1
>
>
Powered by blists - more mailing lists