| Message ID | 20240411124722.17343-5-oneukum@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [RFC,1/6] usb: usb_parse_endpoint ignore reserved bits | expand |
On Thu, Apr 11, 2024 at 02:43:02PM +0200, Oliver Neukum wrote: > usb_parse_endpoint processes an endpoint descriptor and then > advances the parser to the next endpoint descriptor. > However, a malicious device could feature something other than > an endpoint descriptor after the interface descriptor > > Signed-off-by: Oliver Neukum <oneukum@suse.com> > --- > drivers/usb/core/config.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c > index 050cd5066ccf..055910fc6b19 100644 > --- a/drivers/usb/core/config.c > +++ b/drivers/usb/core/config.c > @@ -271,6 +271,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, > buffer += d->bLength; > size -= d->bLength; > > + if (d->bDescriptorType != USB_DT_ENDPOINT) > + goto skip_to_next_endpoint_or_interface_descriptor; > if (d->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE) > n = USB_DT_ENDPOINT_AUDIO_SIZE; > else if (d->bLength >= USB_DT_ENDPOINT_SIZE) Not needed, because usb_parse_interface() calls find_next_descriptor() to find an endpoint descriptor or another interface descriptor before the first time it calls usb_parse_endpoint(). Alan Stern
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 050cd5066ccf..055910fc6b19 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -271,6 +271,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, buffer += d->bLength; size -= d->bLength; + if (d->bDescriptorType != USB_DT_ENDPOINT) + goto skip_to_next_endpoint_or_interface_descriptor; if (d->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE) n = USB_DT_ENDPOINT_AUDIO_SIZE; else if (d->bLength >= USB_DT_ENDPOINT_SIZE)
usb_parse_endpoint processes an endpoint descriptor and then advances the parser to the next endpoint descriptor. However, a malicious device could feature something other than an endpoint descriptor after the interface descriptor Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/usb/core/config.c | 2 ++ 1 file changed, 2 insertions(+)