Re: [PATCH net] net: usb: cdc_ncm: reject negative chained NDP offsets

Next message: Theodore Tso: "Re: [RFC v2 0/1] ext4: fail fast on repeated buffer_head reads after IO failure"
Previous message: Andrey Konovalov: "Re: [PATCH] kasan: Add abbreviation KASAN to init log"
In reply to: Oliver Neukum: "Re: [PATCH net] net: usb: cdc_ncm: reject negative chained NDP offsets"
Next in thread: Bj&#xF8;rn Mork: "Re: [PATCH net] net: usb: cdc_ncm: reject negative chained NDP offsets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Mon Apr 13 2026 - 08:46:31 EST

On Mon, Apr 13, 2026 at 02:11:50PM +0200, Oliver Neukum wrote:
> On 13.04.26 12:43, Greg Kroah-Hartman wrote:
> > On Mon, Apr 13, 2026 at 10:36:19AM +0200, Oliver Neukum wrote:
> > >
> > >
> > > On 11.04.26 12:53, Greg Kroah-Hartman wrote:
> > > > cdc_ncm_rx_fixup() reads dwNextNdpIndex from each NDP32 to chain to the
> > > > next one. The 32-bit value from the device is stored into the signed
> > > > int ndpoffset so that means values with the high bit set become
> > >
> > > Well, then isn't the problem rather that you should not store an
> > > unsigned value in a signed variable?
> >
> > No. well, yes. but no.
> >
> > cdc_ncm_rx_verify_nth16() returns an int, and is negative if something
> > went wrong, so we need it that way, and then we need to check it, like
> > we properly do at the top of the loop, it's just that at the bottom of
> > the loop we also need to do the same exact thing.
>
> Doesn't that suggest that cdc_ncm_rx_verify_nth16() is the problem?
> To be precise, the way it indicates errors?
> As this is an offset into a buffer and the header must be at the start
> of the buffer, isn't 0 the natural indication of an error?

Maybe? I really don't know, sorry, parsing the cdc_ncm buffer is not
something I looked too deeply into :)

greg k-h