• Bjørn Mork's avatar
    net: cdc_ncm: fix NULL pointer deref in cdc_ncm_bind_common · 6527f833
    Bjørn Mork authored
    Commit 77b0a099 ("cdc-ncm: use common parser") added a dangerous
    new trust in the CDC functional descriptors presented by the device,
    unconditionally assuming that any device handled by the driver has
    a CDC Union descriptor.
    
    This descriptor is required by the NCM and MBIM specs, but crashing
    on non-compliant devices is still unacceptable. Not only will that
    allow malicious devices to crash the kernel, but in this case it is
    also well known that there are non-compliant real devices on the
    market - as shown by the comment accompanying the IAD workaround
    in the same function.
    
    The Sierra Wireless EM7305 is an example of such device, having
    a CDC header and a CDC MBIM descriptor but no CDC Union:
    
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber       12
          bAlternateSetting       0
          bNumEndpoints           1
          bInterfaceClass         2 Communications
          bInterfaceSubClass     14
          bInterfaceProtocol      0
          iInterface              0
          CDC Header:
            bcdCDC               1.10
          CDC MBIM:
            bcdMBIMVersion       1.00
            wMaxControlMessage   4096
            bNumberFilters       16
            bMaxFilterSize       128
            wMaxSegmentSize      4064
            bmNetworkCapabilities 0x20
              8-byte ntb input size
          Endpoint Descriptor:
    	..
    
    The conversion to a common parser also left the local cdc_union
    variable untouched.  This caused the IAD workaround code to be applied
    to all devices with an IAD descriptor, which was never intended.  Finish
    the conversion by testing for hdr.usb_cdc_union_desc instead.
    
    Cc: Oliver Neukum <oneukum@suse.com>
    Fixes: 77b0a099 ("cdc-ncm: use common parser")
    Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    6527f833
cdc_ncm.c 48.4 KB