From: Hans de Goede Date: Sat, 3 Aug 2013 14:37:48 +0000 (+0200) Subject: usb: config->desc.bLength may not exceed amount of data returned by the device X-Git-Tag: v3.10.13~70 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ef7198be2830f7d6951512724203326746756a86;p=platform%2Fkernel%2Flinux-stable.git usb: config->desc.bLength may not exceed amount of data returned by the device commit b4f17a488ae2e09bfcf95c0e0b4219c246f1116a upstream. While reading the config parsing code I noticed this check is missing, without this check config->desc.wTotalLength can end up with a value larger then the dev->rawdescriptors length for the config, and when userspace then tries to get the rawdescriptors bad things may happen. Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 7199adc..a6b2cab 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx, memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); if (config->desc.bDescriptorType != USB_DT_CONFIG || - config->desc.bLength < USB_DT_CONFIG_SIZE) { + config->desc.bLength < USB_DT_CONFIG_SIZE || + config->desc.bLength > size) { dev_err(ddev, "invalid descriptor for config index %d: " "type = 0x%X, length = %d\n", cfgidx, config->desc.bDescriptorType, config->desc.bLength);