Am Dienstag, den 14.03.2017, 21:14 +0100 schrieb Tobias Herzog:
> Notifications may only be 8 bytes so long. Accessing the 9th and
> 10th byte of unimplemented/unknown notifications may be insecure.
> Also check the length of known notifications before accessing anything
> behind the 8th byte.
>
> Signed-off-by: Tobias Herzog <t-herzog@xxxxxx>
> ---
> drivers/usb/class/cdc-acm.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 40714fe..b99127e 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -296,6 +296,12 @@ static void acm_process_notification(struct acm *acm, unsigned char *buf)
> break;
>
> case USB_CDC_NOTIFY_SERIAL_STATE:
> + if (dr->wLength != 2) {
Endianness
> + dev_dbg(&acm->control->dev,
> + "%s - malformed serial state\n", __func__);
> + break;
> + }
> +
> newctrl = get_unaligned_le16(data);
>
> if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) {
> @@ -332,11 +338,10 @@ static void acm_process_notification(struct acm *acm, unsigned char *buf)
>
> default:
> dev_dbg(&acm->control->dev,
> - "%s - unknown notification %d received: index %d "
> - "len %d data0 %d data1 %d\n",
> + "%s - unknown notification %d received: index %d len %d\n",
> __func__,
> dr->bNotificationType, dr->wIndex,
> - dr->wLength, data[0], data[1]);
> + dr->wLength);
> }
> }
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
