If a malicious device gives us a descriptor of zero length we'll go into an infinite loop. We have to check and do a hard bailout. If we get a descriptor of length < 2 we'll parse the next descriptor as part of the current descriptor. We need to check. Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> --- drivers/usb/core/config.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 5891652b6202..050cd5066ccf 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -265,6 +265,9 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, const unsigned short *maxpacket_maxes; d = (struct usb_endpoint_descriptor *) buffer; + if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */ + return -EINVAL; + buffer += d->bLength; size -= d->bLength; -- 2.44.0
