linux/drivers/usb
Bryan O'Donoghue 2b405533c2 USB: gadget: f_ncm: Fix NDP16 datagram validation
commit 2b74b0a04d ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
adds important bounds checking however it unfortunately also introduces  a
bug with respect to section 3.3.1 of the NCM specification.

wDatagramIndex[1] : "Byte index, in little endian, of the second datagram
described by this NDP16. If zero, then this marks the end of the sequence
of datagrams in this NDP16."

wDatagramLength[1]: "Byte length, in little endian, of the second datagram
described by this NDP16. If zero, then this marks the end of the sequence
of datagrams in this NDP16."

wDatagramIndex[1] and wDatagramLength[1] respectively then may be zero but
that does not mean we should throw away the data referenced by
wDatagramIndex[0] and wDatagramLength[0] as is currently the case.

Breaking the loop on (index2 == 0 || dg_len2 == 0) should come at the end
as was previously the case and checks for index2 and dg_len2 should be
removed since zero is valid.

I'm not sure how much testing the above patch received but for me right now
after enumeration ping doesn't work. Reverting the commit restores ping,
scp, etc.

The extra validation associated with wDatagramIndex[0] and
wDatagramLength[0] appears to be valid so, this change removes the incorrect
restriction on wDatagramIndex[1] and wDatagramLength[1] restoring data
processing between host and device.

Fixes: 2b74b0a04d ("USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()")
Cc: Ilja Van Sprundel <ivansprundel@ioactive.com>
Cc: Brooke Basile <brookebasile@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://lore.kernel.org/r/20200920170158.1217068-1-bryan.odonoghue@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-09-22 18:51:52 +02:00
..
atm usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
c67x00 treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
cdns3 usb: cdns3: convert to devm_platform_ioremap_resource_byname 2020-07-29 16:49:37 +02:00
chipidea ENDIAN issue fix and one query controller role API is introduced. 2020-07-29 13:57:09 +02:00
class usblp: fix race between disconnect() and read() 2020-09-17 18:45:30 +02:00
common usb: common: usb-conn-gpio: Register charger 2020-07-30 08:45:24 +02:00
core USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook 2020-09-16 13:08:18 +02:00
dwc2 Revert "usb: dwc2: override PHY input signals with usb role switch support" 2020-07-27 15:34:15 +02:00
dwc3 Revert "usb: dwc3: meson-g12a: fix shared reset control use" 2020-09-04 16:41:22 +02:00
early usb: early: xhci-dbc: File headers are not good candidates for kerneldoc 2020-07-09 17:19:59 +02:00
gadget USB: gadget: f_ncm: Fix NDP16 datagram validation 2020-09-22 18:51:52 +02:00
host ehci-hcd: Move include to keep CRC stable 2020-09-17 08:39:50 +02:00
image usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
isp1760 usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
misc USB: lvtest: return proper error code in probe 2020-08-18 11:55:23 +02:00
mon
mtu3 usb: mtu3: simplify mtu3_req_complete() 2020-07-29 16:53:59 +02:00
musb treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
phy USB: PHY: JZ4770: Fix static checker warning. 2020-08-25 16:02:34 +02:00
renesas_usbhs usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
roles
serial USB: serial: option: support dynamic Quectel USB compositions 2020-08-31 08:37:17 +02:00
storage USB: UAS: fix disconnect by unplugging a hub 2020-09-16 12:35:14 +02:00
typec usb: typec: intel_pmc_mux: Handle SCU IPC error conditions 2020-09-16 13:09:31 +02:00
usbip usbip: Implement a match function to fix usbip 2020-08-18 11:55:23 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
usb-skeleton.c