Re: [RFC 4/6] usb: usb_parse_endpoint guard against an incromprehensible preamble

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 11, 2024 at 02:43:02PM +0200, Oliver Neukum wrote:
> usb_parse_endpoint processes an endpoint descriptor and then
> advances the parser to the next endpoint descriptor.
> However, a malicious device could feature something other than
> an endpoint descriptor after the interface descriptor
> 
> Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
> ---
>  drivers/usb/core/config.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 050cd5066ccf..055910fc6b19 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -271,6 +271,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno,
>  	buffer += d->bLength;
>  	size -= d->bLength;
>  
> +	if (d->bDescriptorType != USB_DT_ENDPOINT)
> +		goto skip_to_next_endpoint_or_interface_descriptor;
>  	if (d->bLength >= USB_DT_ENDPOINT_AUDIO_SIZE)
>  		n = USB_DT_ENDPOINT_AUDIO_SIZE;
>  	else if (d->bLength >= USB_DT_ENDPOINT_SIZE)

Not needed, because usb_parse_interface() calls find_next_descriptor() 
to find an endpoint descriptor or another interface descriptor before 
the first time it calls usb_parse_endpoint().

Alan Stern




[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux