Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1bb9914e authored by Tobias Herzog's avatar Tobias Herzog Committed by Greg Kroah-Hartman
Browse files

cdc-acm: fix possible invalid access when processing notification 



Notifications may only be 8 bytes long. Accessing the 9th and
10th byte of unimplemented/unknown notifications may be insecure.
Also check the length of known notifications before accessing anything
behind the 8th byte.

Signed-off-by: default avatarTobias Herzog <t-herzog@gmx.de>
Acked-by: default avatarOliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 2f86a96b

drivers/usb/class/cdc-acm.c

+9 −4
Original line number Diff line number Diff line
@@ -323,6 +323,12 @@ static void acm_ctrl_irq(struct urb *urb) 
		break;



	case USB_CDC_NOTIFY_SERIAL_STATE:

		if (le16_to_cpu(dr->wLength) != 2) {

			dev_dbg(&acm->control->dev,

				"%s - malformed serial state\n", __func__);

			break;

		}



		newctrl = get_unaligned_le16(data);



		if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) {
@@ -359,11 +365,10 @@ static void acm_ctrl_irq(struct urb *urb) 


	default:

		dev_dbg(&acm->control->dev,

			"%s - unknown notification %d received: index %d "

			"len %d data0 %d data1 %d\n",

			"%s - unknown notification %d received: index %d len %d\n",

			__func__,

			dr->bNotificationType, dr->wIndex,

			dr->wLength, data[0], data[1]);

			dr->bNotificationType, dr->wIndex, dr->wLength);



		break;

	}

exit: