USB: core: harden cdc_parse_cdc_header
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Sep 2017 14:58:48 +0000 (16:58 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Sep 2017 15:01:38 +0000 (17:01 +0200)
Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function.  He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/message.c

index 4c38ea41ae969e6fac8ced209a655957322ba36f..371a07d874a370bc70ad6ef1499debac8b34b6fe 100644 (file)
@@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
                        elength = 1;
                        goto next_desc;
                }
+               if ((buflen < elength) || (elength < 3)) {
+                       dev_err(&intf->dev, "invalid descriptor buffer length\n");
+                       break;
+               }
                if (buffer[1] != USB_DT_CS_INTERFACE) {
                        dev_err(&intf->dev, "skipping garbage\n");
                        goto next_desc;