USB: core: harden cdc_parse_cdc_header commit 2e1c42391ff2556387b3cb6308b24f6f65619feb upstream. Andrey Konovalov reported a possible out-of-bounds problem for the cdc_parse_cdc_header function. He writes: It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0). So fix this issue up by properly validating the buffer length matches what the descriptor says it is. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 767f7a2cf33a135fe3f57010b51c3f6e92d7677d [log] [tgz]
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Thu Sep 21 16:58:48 2017 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Thu Oct 12 11:51:17 2017 +0200
tree: 98a847a5c5fb9f8eb41923b8caf6fd27c9a5284f
parent: d77606e93d819ad4b8f57511ff61a629ced49750 [diff] [blame]
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 3a47077..4c38845 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c

@@ -2068,6 +2068,10 @@
 			elength = 1;
 			goto next_desc;
 		}
+		if ((buflen < elength) || (elength < 3)) {
+			dev_err(&intf->dev, "invalid descriptor buffer length\n");
+			break;
+		}
 		if (buffer[1] != USB_DT_CS_INTERFACE) {
 			dev_err(&intf->dev, "skipping garbage\n");
 			goto next_desc;
commit	767f7a2cf33a135fe3f57010b51c3f6e92d7677d	[log] [tgz]
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Thu Sep 21 16:58:48 2017 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	Thu Oct 12 11:51:17 2017 +0200
tree	98a847a5c5fb9f8eb41923b8caf6fd27c9a5284f
parent	d77606e93d819ad4b8f57511ff61a629ced49750 [diff] [blame]