Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit c5acf880 authored by Marissa Wall's avatar Marissa Wall Committed by alexax66
Browse files

BACKPORT: USB: core: harden cdc_parse_cdc_header 



Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function.  He writes:
	It looks like cdc_parse_cdc_header() doesn't validate buflen
	before accessing buffer[1], buffer[2] and so on. The only check
	present is while (buflen > 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

(cherry picked from commit 2e1c42391ff2556387b3cb6308b24f6f65619feb)

(The original patch fixed the generic cdc_parser_cdc_header function.
That generic function did not exist in 3.10 but there are a couple
cdc parsers that suffer from the same underlying problem.)

Bug: 69052594
Change-Id: I75b16a1eaad8a06bd9ef1db66148f72e965a341f
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarMarissa Wall <marissaw@google.com>
parent c40ec8e2
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment