USB: core: harden cdc_parse_cdc_header
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Sep 2017 14:58:48 +0000 (16:58 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 21 Sep 2017 15:01:38 +0000 (17:01 +0200)
commit2e1c42391ff2556387b3cb6308b24f6f65619feb
treede17bf75f6f81fb1d2d14748ede49e7d3f3c2f88
parent60e70ecd7ae0f09ed07699517071eacb01c26d13
USB: core: harden cdc_parse_cdc_header

Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function.  He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/message.c