usb: config->desc.bLength may not exceed amount of data returned by the device

While reading the config parsing code I noticed this check is missing, without this check config->desc.wTotalLength can end up with a value larger then the dev->rawdescriptors length for the config, and when userspace then tries to get the rawdescriptors bad things may happen. Signed-off-by: N Hans de Goede <hdegoede@redhat.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: config->desc.bLength may not exceed amount of data returned by the device
While reading the config parsing code I noticed this check is missing, without this check config->desc.wTotalLength can end up with a value larger then the dev->rawdescriptors length for the config, and when userspace then tries to get the rawdescriptors bad things may happen. Signed-off-by: N Hans de Goede <hdegoede@redhat.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
b4f17a48 · Hans de Goede · Greg Kroah-Hartman · 3f0d1c67 · b4f17a48
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/usb/core/config.c drivers/usb/core/config.c +2 -1

未找到文件。
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,

 	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
 	if (config->desc.bDescriptorType != USB_DT_CONFIG ||
-	    config->desc.bLength < USB_DT_CONFIG_SIZE) {
+	    config->desc.bLength < USB_DT_CONFIG_SIZE ||
+	    config->desc.bLength > size) {
 		dev_err(ddev, "invalid descriptor for config index %d: "
 		    "type = 0x%X, length = %d\n", cfgidx,
 		    config->desc.bDescriptorType, config->desc.bLength);