On Thu, Apr 11, 2024 at 02:43:01PM +0200, Oliver Neukum wrote: > If a malicious device gives us a descriptor of zero length > we'll go into an infinite loop. We have to check and do > a hard bailout. > If we get a descriptor of length < 2 we'll parse the next > descriptor as part of the current descriptor. We need to check. > > Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx> > --- > drivers/usb/core/config.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c > index 5891652b6202..050cd5066ccf 100644 > --- a/drivers/usb/core/config.c > +++ b/drivers/usb/core/config.c > @@ -265,6 +265,9 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, > const unsigned short *maxpacket_maxes; > > d = (struct usb_endpoint_descriptor *) buffer; > + if (d->bLength < sizeof(struct usb_descriptor_header)) /* this amounts to sabotage */ > + return -EINVAL; Your 6/6 patch should guarantee that this can never happen. Then this check won't be needed. Alan Stern
