On Mon, Jun 07, 2021 at 11:23:07AM -0400, Alan Stern wrote:
> The USB core has utility routines to retrieve various types of
> descriptors. These routines will now provoke a WARN if they are asked
> to retrieve 0 bytes (USB "receive" requests must not have zero
> length), so avert this by checking the size argument at the start.
>
> Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> CC: Johan Hovold <johan@xxxxxxxxxx>
>
> ---
>
> v2: Added extra blank lines following the sanity tests.
Even better.
Reviewed-by: Johan Hovold <johan@xxxxxxxxxx>
> drivers/usb/core/message.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> Index: usb-devel/drivers/usb/core/message.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/message.c
> +++ usb-devel/drivers/usb/core/message.c
> @@ -783,6 +783,9 @@ int usb_get_descriptor(struct usb_device
> int i;
> int result;
>
> + if (size <= 0) /* No point in asking for no data */
> + return -EINVAL;
> +
> memset(buf, 0, size); /* Make sure we parse really received data */
>
> for (i = 0; i < 3; ++i) {
> @@ -832,6 +835,9 @@ static int usb_get_string(struct usb_dev
> int i;
> int result;
>
> + if (size <= 0) /* No point in asking for no data */
> + return -EINVAL;
> +
> for (i = 0; i < 3; ++i) {
> /* retry on length 0 or stall; some devices are flakey */
> result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
>
