Commit 2e1c4239 authored Sep 21, 2017 by Greg Kroah-Hartman

USB: core: harden cdc_parse_cdc_header



Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function.  He writes:
	It looks like cdc_parse_cdc_header() doesn't validate buflen
	before accessing buffer[1], buffer[2] and so on. The only check
	present is while (buflen > 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 60e70ecd

drivers/usb/core/message.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
	elength = 1;		elength = 1;
	goto next_desc;		goto next_desc;
	}		}
			if ((buflen < elength) \|\| (elength < 3)) {
			dev_err(&intf->dev, "invalid descriptor buffer length\n");
			break;
			}
	if (buffer[1] != USB_DT_CS_INTERFACE) {		if (buffer[1] != USB_DT_CS_INTERFACE) {
	dev_err(&intf->dev, "skipping garbage\n");		dev_err(&intf->dev, "skipping garbage\n");
	goto next_desc;		goto next_desc;