linux/drivers/usb
Bryan O'Donoghue 028296e480 USB: gadget: f_ncm: Fix NDP16 datagram validation
commit 2b74b0a04d ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
adds important bounds checking however it unfortunately also introduces  a
bug with respect to section 3.3.1 of the NCM specification.

wDatagramIndex[1] : "Byte index, in little endian, of the second datagram
described by this NDP16. If zero, then this marks the end of the sequence
of datagrams in this NDP16."

wDatagramLength[1]: "Byte length, in little endian, of the second datagram
described by this NDP16. If zero, then this marks the end of the sequence
of datagrams in this NDP16."

wDatagramIndex[1] and wDatagramLength[1] respectively then may be zero but
that does not mean we should throw away the data referenced by
wDatagramIndex[0] and wDatagramLength[0] as is currently the case.

Breaking the loop on (index2 == 0 || dg_len2 == 0) should come at the end
as was previously the case and checks for index2 and dg_len2 should be
removed since zero is valid.

I'm not sure how much testing the above patch received but for me right now
after enumeration ping doesn't work. Reverting the commit restores ping,
scp, etc.

The extra validation associated with wDatagramIndex[0] and
wDatagramLength[0] appears to be valid so, this change removes the incorrect
restriction on wDatagramIndex[1] and wDatagramLength[1] restoring data
processing between host and device.

Fixes: 2b74b0a04d ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
Cc: Ilja Van Sprundel <ivansprundel@ioactive.com>
Cc: Brooke Basile <brookebasile@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
2020-10-02 09:57:39 +03:00
..
atm usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
c67x00 treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
cdns3 usb: cdns3: Enable workaround for USB2.0 PHY Rx compliance test PHY lockup 2020-10-02 09:57:39 +03:00
chipidea ENDIAN issue fix and one query controller role API is introduced. 2020-07-29 13:57:09 +02:00
class usblp: fix race between disconnect() and read() 2020-09-17 18:45:30 +02:00
common usb: common: usb-conn-gpio: Register charger 2020-07-30 08:45:24 +02:00
core USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook 2020-09-16 13:08:18 +02:00
dwc2 usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails 2020-09-24 11:56:16 +03:00
dwc3 usb: dwc-meson-g12a: Add support for USB on AXG SoCs 2020-10-02 09:57:39 +03:00
early usb: early: xhci-dbc: File headers are not good candidates for kerneldoc 2020-07-09 17:19:59 +02:00
gadget USB: gadget: f_ncm: Fix NDP16 datagram validation 2020-10-02 09:57:39 +03:00
host ehci-hcd: Move include to keep CRC stable 2020-09-17 08:39:50 +02:00
image usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
isp1760 usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
misc USB: lvtest: return proper error code in probe 2020-08-18 11:55:23 +02:00
mon
mtu3 usb: mtu3: Remove unsused inline function is_first_entry 2020-10-02 09:43:36 +03:00
musb treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
phy USB: PHY: JZ4770: Fix static checker warning. 2020-08-25 16:02:34 +02:00
renesas_usbhs usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
roles usb: roles: Switch on role-switch uevent reporting 2020-05-13 14:20:49 +02:00
serial USB: serial: option: support dynamic Quectel USB compositions 2020-08-31 08:37:17 +02:00
storage USB: UAS: fix disconnect by unplugging a hub 2020-09-16 12:35:14 +02:00
typec usb: typec: intel_pmc_mux: Handle SCU IPC error conditions 2020-09-16 13:09:31 +02:00
usbip usbip: Implement a match function to fix usbip 2020-08-18 11:55:23 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
usb-skeleton.c