Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ea04efee authored by Dmitry Torokhov's avatar Dmitry Torokhov
Browse files

Input: ims-psu - check if CDC union descriptor is sane 



Before trying to use CDC union descriptor, try to validate whether that it
is sane by checking that intf->altsetting->extra is big enough and that
descriptor bLength is not too big and not too small.

Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
parent 20ac95d5

drivers/input/misc/ims-pcu.c

+14 −2
Original line number Diff line number Diff line
@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf) 
		return NULL;

	}



	while (buflen > 0) {

	while (buflen >= sizeof(*union_desc)) {

		union_desc = (struct usb_cdc_union_desc *)buf;



		if (union_desc->bLength > buflen) {

			dev_err(&intf->dev, "Too large descriptor\n");

			return NULL;

		}



		if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&

		    union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {

			dev_dbg(&intf->dev, "Found union header\n");



			if (union_desc->bLength >= sizeof(*union_desc))

				return union_desc;



			dev_err(&intf->dev,

				"Union descriptor to short (%d vs %zd\n)",

				union_desc->bLength, sizeof(*union_desc));

			return NULL;

		}



		buflen -= union_desc->bLength;