On Tue, Aug 06, 2024 at 07:28:06PM +0200, Foster Snowhill wrote:
> Rx URB length was already checked in ipheth_rcvbulk_callback_legacy()
> and ipheth_rcvbulk_callback_ncm(), depending on the current mode.
> The check in ipheth_rcvbulk_callback() was thus mostly a duplicate.
>
> The only place in ipheth_rcvbulk_callback() where we care about the URB
> length is for the initial control frame. These frames are always 4 bytes
> long. This has been checked as far back as iOS 4.2.1 on iPhone 3G.
>
> Remove the extraneous URB length check. For control frames, check for
> the specific 4-byte length instead.
Hi Foster,
I am slightly concerned what happens if a frame that does not match the
slightly stricter check in this patch, is now passed to
dev->rcvbulk_callback().
I see that observations have been made that this does not happen. But is
there no was to inject malicious packets, or for something to malfunction?
>
> Signed-off-by: Foster Snowhill <forst@xxxxxx>
> Tested-by: Georgi Valkov <gvalkov@xxxxxxxxx>
> ---
> drivers/net/usb/ipheth.c | 8 ++------
> 1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
> index 6eeef10edada..017255615508 100644
> --- a/drivers/net/usb/ipheth.c
> +++ b/drivers/net/usb/ipheth.c
> @@ -286,11 +286,6 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
> return;
> }
>
> - if (urb->actual_length <= IPHETH_IP_ALIGN) {
> - dev->net->stats.rx_length_errors++;
> - return;
> - }
> -
> /* RX URBs starting with 0x00 0x01 do not encapsulate Ethernet frames,
> * but rather are control frames. Their purpose is not documented, and
> * they don't affect driver functionality, okay to drop them.
> @@ -298,7 +293,8 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
> * URB received from the bulk IN endpoint.
> */
> if (unlikely
> - (((char *)urb->transfer_buffer)[0] == 0 &&
> + (urb->actual_length == 4 &&
> + ((char *)urb->transfer_buffer)[0] == 0 &&
> ((char *)urb->transfer_buffer)[1] == 1))
> goto rx_submit;
>
> --
> 2.45.1
>
>
