cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize [ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ] Endpoints with zero wMaxPacketSize are not usable for transferring data. Ignore such endpoints when looking for valid in, out and status pipes, to make the driver more robust against invalid and meaningless descriptors. The wMaxPacketSize of the out pipe is used as divisor. So this change fixes a divide-by-zero bug. Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com Signed-off-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 941b5eefb1f0429da6fe2107aae35a07e5440f76 [log] [tgz]
author: Bjørn Mork <bjorn@mork.no> Wed Sep 18 14:01:46 2019 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Sat Oct 05 12:30:12 2019 +0200
tree: c00e6da348ede73e00a348fa1c1d10f3d5fe2e5e
parent: 337da470bd10a31ec73ef697d3d0a9a18c207cca [diff]
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 7b15867..43e28d2 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c

@@ -679,8 +679,12 @@
 	u8 ep;
 
 	for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) {
-
 		e = intf->cur_altsetting->endpoint + ep;
+
+		/* ignore endpoints which cannot transfer data */
+		if (!usb_endpoint_maxp(&e->desc))
+			continue;
+
 		switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
 		case USB_ENDPOINT_XFER_INT:
 			if (usb_endpoint_dir_in(&e->desc)) {
commit	941b5eefb1f0429da6fe2107aae35a07e5440f76	[log] [tgz]
author	Bjørn Mork <bjorn@mork.no>	Wed Sep 18 14:01:46 2019 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Sat Oct 05 12:30:12 2019 +0200
tree	c00e6da348ede73e00a348fa1c1d10f3d5fe2e5e
parent	337da470bd10a31ec73ef697d3d0a9a18c207cca [diff]