[PATCH 4.9 021/105] USB: core: harden cdc_parse_cdc_header

From: Greg Kroah-Hartman
Date: Tue Oct 10 2017 - 17:01:37 EST


4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

commit 2e1c42391ff2556387b3cb6308b24f6f65619feb upstream.

Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function. He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).

So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.

Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Tested-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/usb/core/message.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2068,6 +2068,10 @@ int cdc_parse_cdc_header(struct usb_cdc_
elength = 1;
goto next_desc;
}
+ if ((buflen < elength) || (elength < 3)) {
+ dev_err(&intf->dev, "invalid descriptor buffer length\n");
+ break;
+ }
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(&intf->dev, "skipping garbage\n");
goto next_desc;