Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

usb: config->desc.bLength may not exceed amount of data returned by the device

While reading the config parsing code I noticed this check is missing, without
this check config->desc.wTotalLength can end up with a value larger then the
dev->rawdescriptors length for the config, and when userspace then tries to
get the rawdescriptors bad things may happen.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hans de Goede 12 years ago
parent
3f0d1c67fa
commit
b4f17a488a
1 changed files with 2 additions and 1 deletions
Split View Show Diff Stats
  1. 2 1
      drivers/usb/core/config.c

+ 2 - 1
drivers/usb/core/config.c
View File 

@@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
 
 
 	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
 
 	if (config->desc.bDescriptorType != USB_DT_CONFIG ||
 
-	    config->desc.bLength < USB_DT_CONFIG_SIZE) {
 
+	    config->desc.bLength < USB_DT_CONFIG_SIZE ||
 
+	    config->desc.bLength > size) {
 
 		dev_err(ddev, "invalid descriptor for config index %d: "
 
 		    "type = 0x%X, length = %d\n", cfgidx,
 
 		    config->desc.bDescriptorType, config->desc.bLength);