1 From 4a8737ff068724f509d583fef404d349adba80d6 Mon Sep 17 00:00:00 2001
2 From: Marc Kleine-Budde <mkl@pengutronix.de>
3 Date: Fri, 10 Dec 2021 10:03:09 +0100
4 Subject: can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
6 From: Marc Kleine-Budde <mkl@pengutronix.de>
8 commit 4a8737ff068724f509d583fef404d349adba80d6 upstream.
10 The received data contains the channel the received data is associated
11 with. If the channel number is bigger than the actual number of
12 channels assume broken or malicious USB device and shut it down.
14 This fixes the error found by clang:
16 | drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
17 | uninitialized whenever 'if' condition is true
18 | if (hf->channel >= GS_MAX_INTF)
19 | ^~~~~~~~~~~~~~~~~~~~~~~~~~
20 | drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
21 | hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
24 Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de
25 Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
26 Cc: stable@vger.kernel.org
27 Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
28 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
30 drivers/net/can/usb/gs_usb.c | 3 ++-
31 1 file changed, 2 insertions(+), 1 deletion(-)
33 --- a/drivers/net/can/usb/gs_usb.c
34 +++ b/drivers/net/can/usb/gs_usb.c
35 @@ -303,7 +303,7 @@ static void gs_usb_receive_bulk_callback
37 /* device reports out of range channel id */
38 if (hf->channel >= GS_MAX_INTF)
42 dev = usbcan->canch[hf->channel];
44 @@ -388,6 +388,7 @@ static void gs_usb_receive_bulk_callback
46 /* USB failure take down all interfaces */
49 for (rc = 0; rc < GS_MAX_INTF; rc++) {
50 if (usbcan->canch[rc])
51 netif_device_detach(usbcan->canch[rc]->netdev);
projects / thirdparty / kernel / stable-queue.git / blob