On Wed, Nov 15, 2023 at 02:13:25PM +0200, Niklas Neronin wrote:
> The BOS descriptor defines a root descriptor and is the base descriptor for
> accessing a family of related descriptors.
>
> Function 'usb_get_bos_descriptor()' encounters an iteration issue when
> skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in
> the same descriptor being read repeatedly.
>
> To address this issue, a 'goto' statement is introduced to ensure that the
> pointer and the amount read is updated correctly. This ensures that the
> function iterates to the next descriptor instead of reading the same
> descriptor repeatedly.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 3dd550a2d365 ("USB: usbcore: Fix slab-out-of-bounds bug during device reset")
> Signed-off-by: Niklas Neronin <niklas.neronin@xxxxxxxxxxxxxxx>
> ---
Reviewed-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Don't know how I missed that four years ago...
> drivers/usb/core/config.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index b19e38d5fd10..7f8d33f92ddb 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -1047,7 +1047,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
>
> if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
> dev_notice(ddev, "descriptor type invalid, skip\n");
> - continue;
> + goto skip_to_next_descriptor;
> }
>
> switch (cap_type) {
> @@ -1078,6 +1078,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
> break;
> }
>
> +skip_to_next_descriptor:
> total_len -= length;
> buffer += length;
> }
> --
> 2.42.0
>
