From: Bjørn Mork <bjorn@mork.no>
Date: Mon, 6 Nov 2017 14:37:22 +0000 (+0100)
Subject: net: cdc_ether: fix divide by 0 on bad descriptors
X-Git-Tag: v4.1.12-124.31.3~861
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=6e267e967fb25573a76f598b5123e3429f69d34e;p=users%2Fjedix%2Flinux-maple.git

net: cdc_ether: fix divide by 0 on bad descriptors

Orabug: 27841392
CVE: CVE-2017-16649

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

Conflicts:
	drivers/net/usb/cdc_ether.c
	whitespace correction

Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
---

diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 4545e78840b0..b61c5995c9d4 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -260,7 +260,8 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
 				goto bad_desc;
 			}
 			info->ether = (void *) buf;
-			if (info->ether->bLength != sizeof(*info->ether)) {
+			if (info->ether->bLength != sizeof(*info->ether) &&
+			    info->ether->wMaxSegmentSize) {
 				dev_dbg(&intf->dev, "CDC ether len %u\n",
 					info->ether->bLength);
 				goto bad_desc;