diff mbox series

[RFC,3/6] usb: usb_parse_endpoint needs to guard against short descriptors

Message ID 20240411124722.17343-4-oneukum@suse.com (mailing list archive)
State Superseded
Headers show
Series [RFC,1/6] usb: usb_parse_endpoint ignore reserved bits | expand

Commit Message

Oliver Neukum April 11, 2024, 12:43 p.m. UTC
If a malicious device gives us a descriptor of zero length
we'll go into an infinite loop. We have to check and do
a hard bailout.
If we get a descriptor of length < 2 we'll parse the next
descriptor as part of the current descriptor. We need to check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/usb/core/config.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Alan Stern April 11, 2024, 3:57 p.m. UTC | #1
On Thu, Apr 11, 2024 at 02:43:01PM +0200, Oliver Neukum wrote:
> If a malicious device gives us a descriptor of zero length
> we'll go into an infinite loop. We have to check and do
> a hard bailout.
> If we get a descriptor of length < 2 we'll parse the next
> descriptor as part of the current descriptor. We need to check.
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
>  drivers/usb/core/config.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 5891652b6202..050cd5066ccf 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -265,6 +265,9 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
>  	const unsigned short *maxpacket_maxes;
>  
>  	d = (struct usb_endpoint_descriptor *) buffer;
> +	if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */
> +		return -EINVAL;

Your 6/6 patch should guarantee that this can never happen.  Then this 
check won't be needed.

Alan Stern
diff mbox series

Patch

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 5891652b6202..050cd5066ccf 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -265,6 +265,9 @@  static int usb_parse_endpoint(struct device *ddev, int cfgno,
 	const unsigned short *maxpacket_maxes;
 
 	d = (struct usb_endpoint_descriptor *) buffer;
+	if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */
+		return -EINVAL;
+
 	buffer += d->bLength;
 	size -= d->bLength;