| Message ID | 20240411124722.17343-4-oneukum@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [RFC,1/6] usb: usb_parse_endpoint ignore reserved bits | expand |
On Thu, Apr 11, 2024 at 02:43:01PM +0200, Oliver Neukum wrote: > If a malicious device gives us a descriptor of zero length > we'll go into an infinite loop. We have to check and do > a hard bailout. > If we get a descriptor of length < 2 we'll parse the next > descriptor as part of the current descriptor. We need to check. > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > --- > drivers/usb/core/config.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c > index 5891652b6202..050cd5066ccf 100644 > --- a/drivers/usb/core/config.c > +++ b/drivers/usb/core/config.c > @@ -265,6 +265,9 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, > const unsigned short *maxpacket_maxes; > > d = (struct usb_endpoint_descriptor *) buffer; > + if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */ > + return -EINVAL; Your 6/6 patch should guarantee that this can never happen. Then this check won't be needed. Alan Stern
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 5891652b6202..050cd5066ccf 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -265,6 +265,9 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, const unsigned short *maxpacket_maxes; d = (struct usb_endpoint_descriptor *) buffer; + if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */ + return -EINVAL; + buffer += d->bLength; size -= d->bLength;
If a malicious device gives us a descriptor of zero length we'll go into an infinite loop. We have to check and do a hard bailout. If we get a descriptor of length < 2 we'll parse the next descriptor as part of the current descriptor. We need to check. Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/usb/core/config.c | 3 +++ 1 file changed, 3 insertions(+)