On Thu, Apr 11, 2024 at 02:43:02PM +0200, Oliver Neukum wrote: > usb_parse_endpoint processes an endpoint descriptor and then > advances the parser to the next endpoint descriptor. > However, a malicious device could feature something other than > an endpoint descriptor after the interface descriptor > > Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> > --- > drivers/usb/core/config.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c > index 050cd5066ccf..055910fc6b19 100644 > --- a/drivers/usb/core/config.c > +++ b/drivers/usb/core/config.c > @@ -271,6 +271,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, > buffer += d->bLength; > size -= d->bLength; > > + if (d->bDescriptorType != USB_DT_ENDPOINT) > + goto skip_to_next_endpoint_or_interface_descriptor; > if (d->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE) > n = USB_DT_ENDPOINT_AUDIO_SIZE; > else if (d->bLength >= USB_DT_ENDPOINT_SIZE) Not needed, because usb_parse_interface() calls find_next_descriptor() to find an endpoint descriptor or another interface descriptor before the first time it calls usb_parse_endpoint(). Alan Stern