Message ID | 20220105205443.1274709-2-mkl@pengutronix.de |
---|---|
State | Accepted |
Commit | 4a8737ff068724f509d583fef404d349adba80d6 |
Headers | show |
Series | [net,1/2] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data | expand |
Hello: This series was applied to netdev/net.git (master) by Marc Kleine-Budde <mkl@pengutronix.de>: On Wed, 5 Jan 2022 21:54:42 +0100 you wrote: > The received data contains the channel the received data is associated > with. If the channel number is bigger than the actual number of > channels assume broken or malicious USB device and shut it down. > > This fixes the error found by clang: > > | drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used > | uninitialized whenever 'if' condition is true > | if (hf->channel >= GS_MAX_INTF) > | ^~~~~~~~~~~~~~~~~~~~~~~~~~ > | drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here > | hf, dev->gs_hf_size, gs_usb_receive_bulk_callback, > | ^~~ > > [...] Here is the summary with links: - [net,1/2] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data https://git.kernel.org/netdev/net/c/4a8737ff0687 - [net,2/2] can: isotp: convert struct tpcon::{idx,len} to unsigned int https://git.kernel.org/netdev/net/c/5f33a09e769a You are awesome, thank you!
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index 1b400de00f51..d7ce2c5956f4 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -321,7 +321,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) /* device reports out of range channel id */ if (hf->channel >= GS_MAX_INTF) - goto resubmit_urb; + goto device_detach; dev = usbcan->canch[hf->channel]; @@ -406,6 +406,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) /* USB failure take down all interfaces */ if (rc == -ENODEV) { + device_detach: for (rc = 0; rc < GS_MAX_INTF; rc++) { if (usbcan->canch[rc]) netif_device_detach(usbcan->canch[rc]->netdev);
The received data contains the channel the received data is associated with. If the channel number is bigger than the actual number of channels assume broken or malicious USB device and shut it down. This fixes the error found by clang: | drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used | uninitialized whenever 'if' condition is true | if (hf->channel >= GS_MAX_INTF) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ | drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here | hf, dev->gs_hf_size, gs_usb_receive_bulk_callback, | ^~~ Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> --- drivers/net/can/usb/gs_usb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) base-commit: 1d5a474240407c38ca8c7484a656ee39f585399c