Check the CDC headers for elements with insufficient length.
Other popular operating systems filter then, too.
Signed-off-by: Oliver Neukum <oneukum@xxxxxxx>
---
drivers/usb/class/cdc-wdm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index a051a7a..6647f37 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -875,6 +875,7 @@ static int wdm_probe(struct usb_interface *intf, const struct usb_device_id *id)
struct usb_cdc_dmm_desc *dmhd;
u8 *buffer = intf->altsetting->extra;
int buflen = intf->altsetting->extralen;
+ unsigned int elen = 0;
u16 maxcom = WDM_DEFAULT_BUFSIZE;
if (!buffer)
@@ -884,11 +885,13 @@ static int wdm_probe(struct usb_interface *intf, const struct usb_device_id *id)
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;
}
-
+ elen = buffer[0];
switch (buffer[2]) {
case USB_CDC_HEADER_TYPE:
break;
case USB_CDC_DMM_TYPE:
+ if (elen < sizeof(struct usb_cdc_dmm_desc))
+ break;
dmhd = (struct usb_cdc_dmm_desc *)buffer;
maxcom = le16_to_cpu(dmhd->wMaxCommand);
dev_dbg(&intf->dev,
@@ -901,8 +904,8 @@ static int wdm_probe(struct usb_interface *intf, const struct usb_device_id *id)
break;
}
next_desc:
- buflen -= buffer[0];
- buffer += buffer[0];
+ buflen -= elen;
+ buffer += elen;
}
iface = intf->cur_altsetting;
--
1.8.4.5
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
