Am Mittwoch, den 30.10.2019, 12:22 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 96c6c319 net: kasan: kmsan: support CONFIG_GENERIC_CSUM on..
> git tree: https://github.com/google/kmsan.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=11f103bce00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9e324dfe9c7b0360
> dashboard link: https://syzkaller.appspot.com/bug?extid=0631d878823ce2411636
> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dd9774e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13651a24e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+0631d878823ce2411636@xxxxxxxxxxxxxxxxxxxxxxxxx
#syz test: https://github.com/google/kmsan.git 96c6c319
From 090ac0305bb47da9336c0188e0e59e50ff2243c3 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@xxxxxxxx>
Date: Tue, 5 Nov 2019 12:04:44 +0100
Subject: [PATCH] CDC-NCM: handle incomplete transfer of MTU
A malicious device may give half an answer when asked
for its MTU. The driver will proceed after this with
a garbage MTU. Anything but a complete answer must be treated
as an error.
Reported-by: syzbot+0631d878823ce2411636@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
---
drivers/net/usb/cdc_ncm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 00cab3f43a4c..939487a5f4bc 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -579,7 +579,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
0, iface_no, &max_datagram_size, 2);
- if (err < 0) {
+ if (err < 2) {
dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
goto out;
}
--
2.16.4
