| From b4f17a488ae2e09bfcf95c0e0b4219c246f1116a Mon Sep 17 00:00:00 2001 |
| From: Hans de Goede <hdegoede@redhat.com> |
| Date: Sat, 3 Aug 2013 16:37:48 +0200 |
| Subject: usb: config->desc.bLength may not exceed amount of data returned by the device |
| |
| From: Hans de Goede <hdegoede@redhat.com> |
| |
| commit b4f17a488ae2e09bfcf95c0e0b4219c246f1116a upstream. |
| |
| While reading the config parsing code I noticed this check is missing, without |
| this check config->desc.wTotalLength can end up with a value larger then the |
| dev->rawdescriptors length for the config, and when userspace then tries to |
| get the rawdescriptors bad things may happen. |
| |
| Signed-off-by: Hans de Goede <hdegoede@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/core/config.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/usb/core/config.c |
| +++ b/drivers/usb/core/config.c |
| @@ -424,7 +424,8 @@ static int usb_parse_configuration(struc |
| |
| memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); |
| if (config->desc.bDescriptorType != USB_DT_CONFIG || |
| - config->desc.bLength < USB_DT_CONFIG_SIZE) { |
| + config->desc.bLength < USB_DT_CONFIG_SIZE || |
| + config->desc.bLength > size) { |
| dev_err(ddev, "invalid descriptor for config index %d: " |
| "type = 0x%X, length = %d\n", cfgidx, |
| config->desc.bDescriptorType, config->desc.bLength); |
