usb_parse_endpoint processes an endpoint descriptor and then advances the parser to the next endpoint descriptor. However, a malicious device could feature something other than an endpoint descriptor after the interface descriptor Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> --- drivers/usb/core/config.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 050cd5066ccf..055910fc6b19 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -271,6 +271,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, buffer += d->bLength; size -= d->bLength; + if (d->bDescriptorType != USB_DT_ENDPOINT) + goto skip_to_next_endpoint_or_interface_descriptor; if (d->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE) n = USB_DT_ENDPOINT_AUDIO_SIZE; else if (d->bLength >= USB_DT_ENDPOINT_SIZE) -- 2.44.0
