On Thu, Apr 11, 2024 at 02:43:04PM +0200, Oliver Neukum wrote:
> If you parse a data structure you cannot
> just test whether the remainder of your buffer holds
> data. It needs to hold a full data structure.
>
> Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
> ---
> drivers/usb/core/config.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 50acc9021247..43c5ed256e6e 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -32,7 +32,7 @@ static int find_next_descriptor(unsigned char *buffer, int size,
> unsigned char *buffer0 = buffer;
>
> /* Find the next descriptor of type dt1 or dt2 */
> - while (size > 0) {
> + while (size >= sizeof(struct usb_descriptor_header)) {
> h = (struct usb_descriptor_header *) buffer;
> if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2)
> break;
In fact, I don't think this is needed at all. These checks are already
present in usb_parse_configuration().
Alan Stern
