diff mbox series

[PATCHv2] USB: gl620a: check for rx buffer overflow

Message ID 20231122095306.15175-1-oneukum@suse.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [PATCHv2] USB: gl620a: check for rx buffer overflow | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/codegen success Generated files up to date
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1127 this patch: 1127
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 1154 this patch: 1154
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1154 this patch: 1154
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Oliver Neukum Nov. 22, 2023, 9:52 a.m. UTC
The driver checks for a single package overflowing
maximum size. That needs to be done, but it is not
enough. As a single transmission can contain a high
number of packets, we also need to check whether
the aggregate of messages in itself short enough
overflow the buffer.
That is easiest done by checking that the current
packet does not overflow the buffer.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---

v2: corrected typo in commit message
 
 drivers/net/usb/gl620a.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Sergey Shtylyov Nov. 22, 2023, 9:55 a.m. UTC | #1
On 11/22/23 12:52 PM, Oliver Neukum wrote:

> The driver checks for a single package overflowing

   Maybe packet?

> maximum size. That needs to be done, but it is not
> enough. As a single transmission can contain a high
> number of packets, we also need to check whether
> the aggregate of messages in itself short enough
> overflow the buffer.
> That is easiest done by checking that the current
> packet does not overflow the buffer.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
[...]

MBR, Sergey
Oliver Neukum Nov. 22, 2023, 10:04 a.m. UTC | #2
On 22.11.23 10:55, Sergey Shtylyov wrote:
> On 11/22/23 12:52 PM, Oliver Neukum wrote:
> 
>> The driver checks for a single package overflowing
> 
>     Maybe packet?

No, that would be read as network packet, which
is precisely what this not not and should not
be mistaken for.

	Regards
		Oliver
Sergey Shtylyov Nov. 22, 2023, 10:07 a.m. UTC | #3
On 11/22/23 1:04 PM, Oliver Neukum wrote:

[...]
>>> The driver checks for a single package overflowing
>>
>>     Maybe packet?
> 
> No, that would be read as network packet, which
> is precisely what this not not and should not
> be mistaken for.

   But "package" hardly fits either. Is it a USB packet or something else?

>     Regards
>         Oliver

MBR, Sergey
Oliver Neukum Nov. 22, 2023, 10:20 a.m. UTC | #4
On 22.11.23 11:07, Sergei Shtylyov wrote:
> On 11/22/23 1:04 PM, Oliver Neukum wrote:
> 
> [...]
>>>> The driver checks for a single package overflowing
>>>
>>>      Maybe packet?
>>
>> No, that would be read as network packet, which
>> is precisely what this not not and should not
>> be mistaken for.
> 
>     But "package" hardly fits either. Is it a USB packet or something else?

Technically the content of the buffer associated
with a single URB. Which on USB physically can be multiple
packets. The network packets arrive together in a package.
That is how this and related drivers operate.

	Regards
		Oliver
Simon Horman Nov. 24, 2023, 11:53 a.m. UTC | #5
On Wed, Nov 22, 2023 at 11:20:47AM +0100, Oliver Neukum wrote:
> 
> 
> On 22.11.23 11:07, Sergei Shtylyov wrote:
> > On 11/22/23 1:04 PM, Oliver Neukum wrote:
> > 
> > [...]
> > > > > The driver checks for a single package overflowing
> > > > 
> > > >      Maybe packet?
> > > 
> > > No, that would be read as network packet, which
> > > is precisely what this not not and should not
> > > be mistaken for.
> > 
> >     But "package" hardly fits either. Is it a USB packet or something else?
> 
> Technically the content of the buffer associated
> with a single URB. Which on USB physically can be multiple
> packets. The network packets arrive together in a package.
> That is how this and related drivers operate.

I think it would be useful to include information along the lines
of the above in the patch description.
Oliver Neukum Nov. 30, 2023, 9:38 a.m. UTC | #6
On 24.11.23 12:53, Simon Horman wrote:
>
> 
> I think it would be useful to include information along the lines
> of the above in the patch description.

Hi,

I see why you want this information to be available.
So I thought about it and I think this should be
either in Documentation or in a comment in usbnet,
so that new drivers include the necessary checks
from the start. What do you think?

	Regards
		Oliver
Simon Horman Nov. 30, 2023, 4:42 p.m. UTC | #7
On Thu, Nov 30, 2023 at 10:38:09AM +0100, Oliver Neukum wrote:
> On 24.11.23 12:53, Simon Horman wrote:
> > 
> > 
> > I think it would be useful to include information along the lines
> > of the above in the patch description.
> 
> Hi,
> 
> I see why you want this information to be available.
> So I thought about it and I think this should be
> either in Documentation or in a comment in usbnet,
> so that new drivers include the necessary checks
> from the start. What do you think?

Hi Oliver,

yes, now you mention it that does seem appropriate.
And I don't think that doing so gates this patch.

Reviewed-by: Simon Horman <horms@kernel.org>
Paolo Abeni Dec. 5, 2023, 8:04 a.m. UTC | #8
On Wed, 2023-11-22 at 10:52 +0100, Oliver Neukum wrote:
> The driver checks for a single package overflowing
> maximum size. That needs to be done, but it is not
> enough. As a single transmission can contain a high
> number of packets, we also need to check whether
> the aggregate of messages in itself short enough
> overflow the buffer.
> That is easiest done by checking that the current
> packet does not overflow the buffer.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>

This looks like a bugfix, so a suitable Fixes tag should be included.

> ---
> 
> v2: corrected typo in commit message
>  
>  drivers/net/usb/gl620a.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
> index 46af78caf457..d33ae15abdc1 100644
> --- a/drivers/net/usb/gl620a.c
> +++ b/drivers/net/usb/gl620a.c
> @@ -104,6 +104,10 @@ static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
>  			return 0;
>  		}
>  
> +		/* we also need to check for overflowing the buffer */
> +		if (size > skb->len)
> +			return 0;

I think the above is not strict enough: at this point skb->data points
to the gl_packet header. The first 4 bytes in skb are gl_packet-
>packet_length. To ensure an overflow is avoided you should check for:

		if (size + 4 > skb->len)

likely with a describing comment.

Cheers,

Paolo
Oliver Neukum Dec. 5, 2023, 10:21 a.m. UTC | #9
On 05.12.23 09:04, Paolo Abeni wrote:

Hi,

> I think the above is not strict enough: at this point skb->data points
> to the gl_packet header. The first 4 bytes in skb are gl_packet-
>> packet_length. To ensure an overflow is avoided you should check for:
> 
> 		if (size + 4 > skb->len)
> 
> likely with a describing comment.

it seems to me that at the time of the check skb->len has already
been adjusted by the skb_pull() before, respectively at the end, of
the loop.

	Regards
		Oliver
diff mbox series

Patch

diff --git a/drivers/net/usb/gl620a.c b/drivers/net/usb/gl620a.c
index 46af78caf457..d33ae15abdc1 100644
--- a/drivers/net/usb/gl620a.c
+++ b/drivers/net/usb/gl620a.c
@@ -104,6 +104,10 @@  static int genelink_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
 			return 0;
 		}
 
+		/* we also need to check for overflowing the buffer */
+		if (size > skb->len)
+			return 0;
+
 		// allocate the skb for the individual packet
 		gl_skb = alloc_skb(size, GFP_ATOMIC);
 		if (gl_skb) {