On 21.12.21 08:54, Greg KH wrote: > On Thu, Dec 16, 2021 at 11:16:26AM +0100, Oliver Neukum wrote: >> >> 2) a heuristic to find the endpoints is used (that should be converted >> to the new API) >> >> 3) they are given nummerically by the subdriver >> >> It turns out that #3 needs to verify the endpoints against malicious >> devices. >> So the following questions >> >> a) should that verification go into usbcore > the usb_find_common_endpoints() functions are in the usbcore for drivers > to use for this type of problem. That API insist on finding the endpoints. It is a heuristic, so we need to have a fallback in case it fails. >> b) what possible ways for a malicious device to spoof us can you come >> up with > Start with: > - invalid endpoint sizes and types > - invalid data being sent on valid endpoint types > and you will catch almost all possible errors. > OK. But I still need a way to do verification _only_. Regards Oliver
