diff mbox series

[PATCHv2] USB: gl620a: check for rx buffer overflow

Message ID 20231122095306.15175-1-oneukum@suse.com (mailing list archive)
State New, archived
Headers show
Series [PATCHv2] USB: gl620a: check for rx buffer overflow | expand

Commit Message

Oliver Neukum Nov. 22, 2023, 9:52 a.m. UTC
The driver checks for a single package overflowing
maximum size. That needs to be done, but it is not
enough. As a single transmission can contain a high
number of packets, we also need to check whether
the aggregate of messages in itself short enough
overflow the buffer.
That is easiest done by checking that the current
packet does not overflow the buffer.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---

v2: corrected typo in commit message
 
 drivers/net/usb/gl620a.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Sergey Shtylyov Nov. 22, 2023, 9:55 a.m. UTC | #1
On 11/22/23 12:52 PM, Oliver Neukum wrote:

> The driver checks for a single package overflowing

   Maybe packet?

> maximum size. That needs to be done, but it is not
> enough. As a single transmission can contain a high
> number of packets, we also need to check whether
> the aggregate of messages in itself short enough
> overflow the buffer.
> That is easiest done by checking that the current
> packet does not overflow the buffer.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
[...]

MBR, Sergey
Oliver Neukum Nov. 22, 2023, 10:04 a.m. UTC | #2
On 22.11.23 10:55, Sergey Shtylyov wrote:
> On 11/22/23 12:52 PM, Oliver Neukum wrote:
> 
>> The driver checks for a single package overflowing
> 
>     Maybe packet?

No, that would be read as network packet, which
is precisely what this not not and should not
be mistaken for.

	Regards
		Oliver
Sergey Shtylyov Nov. 22, 2023, 10:07 a.m. UTC | #3
On 11/22/23 1:04 PM, Oliver Neukum wrote:

[...]
>>> The driver checks for a single package overflowing
>>
>>     Maybe packet?
> 
> No, that would be read as network packet, which
> is precisely what this not not and should not
> be mistaken for.

   But "package" hardly fits either. Is it a USB packet or something else?

>     Regards
>         Oliver

MBR, Sergey
Oliver Neukum Nov. 22, 2023, 10:20 a.m. UTC | #4
On 22.11.23 11:07, Sergei Shtylyov wrote:
> On 11/22/23 1:04 PM, Oliver Neukum wrote:
> 
> [...]
>>>> The driver checks for a single package overflowing
>>>
>>>      Maybe packet?
>>
>> No, that would be read as network packet, which
>> is precisely what this not not and should not
>> be mistaken for.
> 
>     But "package" hardly fits either. Is it a USB packet or something else?

Technically the content of the buffer associated
with a single URB. Which on USB physically can be multiple
packets. The network packets arrive together in a package.
That is how this and related drivers operate.

	Regards
		Oliver
Simon Horman Nov. 24, 2023, 11:53 a.m. UTC | #5
On Wed, Nov 22, 2023 at 11:20:47AM +0100, Oliver Neukum wrote:
> 
> 
> On 22.11.23 11:07, Sergei Shtylyov wrote:
> > On 11/22/23 1:04 PM, Oliver Neukum wrote:
> > 
> > [...]
> > > > > The driver checks for a single package overflowing
> > > > 
> > > >      Maybe packet?
> > > 
> > > No, that would be read as network packet, which
> > > is precisely what this not not and should not
> > > be mistaken for.
> > 
> >     But "package" hardly fits either. Is it a USB packet or something else?
> 
> Technically the content of the buffer associated
> with a single URB. Which on USB physically can be multiple
> packets. The network packets arrive together in a package.
> That is how this and related drivers operate.

I think it would be useful to include information along the lines
of the above in the patch description.
Oliver Neukum Nov. 30, 2023, 9:38 a.m. UTC | #6
On 24.11.23 12:53, Simon Horman wrote:
>
> 
> I think it would be useful to include information along the lines
> of the above in the patch description.

Hi,

I see why you want this information to be available.
So I thought about it and I think this should be
either in Documentation or in a comment in usbnet,
so that new drivers include the necessary checks
from the start. What do you think?

	Regards
		Oliver
Simon Horman Nov. 30, 2023, 4:42 p.m. UTC | #7
On Thu, Nov 30, 2023 at 10:38:09AM +0100, Oliver Neukum wrote:
> On 24.11.23 12:53, Simon Horman wrote:
> > 
> > 
> > I think it would be useful to include information along the lines
> > of the above in the patch description.
> 
> Hi,
> 
> I see why you want this information to be available.
> So I thought about it and I think this should be
> either in Documentation or in a comment in usbnet,
> so that new drivers include the necessary checks
> from the start. What do you think?

Hi Oliver,

yes, now you mention it that does seem appropriate.
And I don't think that doing so gates this patch.

Reviewed-by: Simon Horman <horms@kernel.org>
Paolo Abeni Dec. 5, 2023, 8:04 a.m. UTC | #8
On Wed, 2023-11-22 at 10:52 +0100, Oliver Neukum wrote:
> The driver checks for a single package overflowing
> maximum size. That needs to be done, but it is not
> enough. As a single transmission can contain a high
> number of packets, we also need to check whether
> the aggregate of messages in itself short enough
> overflow the buffer.
> That is easiest done by checking that the current
> packet does not overflow the buffer.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>

This looks like a bugfix, so a suitable Fixes tag should be included.

> ---
> 
> v2: corrected typo in commit message
>  
>  drivers/net/usb/gl620a.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
> index 46af78caf457..d33ae15abdc1 100644
> --- a/drivers/net/usb/gl620a.c
> +++ b/drivers/net/usb/gl620a.c
> @@ -104,6 +104,10 @@ static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
>  			return 0;
>  		}
>  
> +		/* we also need to check for overflowing the buffer */
> +		if (size > skb->len)
> +			return 0;

I think the above is not strict enough: at this point skb->data points
to the gl_packet header. The first 4 bytes in skb are gl_packet-
>packet_length. To ensure an overflow is avoided you should check for:

		if (size + 4 > skb->len)

likely with a describing comment.

Cheers,

Paolo
Oliver Neukum Dec. 5, 2023, 10:21 a.m. UTC | #9
On 05.12.23 09:04, Paolo Abeni wrote:

Hi,

> I think the above is not strict enough: at this point skb->data points
> to the gl_packet header. The first 4 bytes in skb are gl_packet-
>> packet_length. To ensure an overflow is avoided you should check for:
> 
> 		if (size + 4 > skb->len)
> 
> likely with a describing comment.

it seems to me that at the time of the check skb->len has already
been adjusted by the skb_pull() before, respectively at the end, of
the loop.

	Regards
		Oliver
diff mbox series

Patch

diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
index 46af78caf457..d33ae15abdc1 100644
--- a/drivers/net/usb/gl620a.c
+++ b/drivers/net/usb/gl620a.c
@@ -104,6 +104,10 @@  static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 			return 0;
 		}
 
+		/* we also need to check for overflowing the buffer */
+		if (size > skb->len)
+			return 0;
+
 		// allocate the skb for the individual packet
 		gl_skb = alloc_skb(size, GFP_ATOMIC);
 		if (gl_skb) {