Skip to content

Commit 9d65d0e

Browse files
dtorgregkh
authored andcommitted
Input: ims-psu - check if CDC union descriptor is sane
commit ea04efe upstream. Before trying to use CDC union descriptor, try to validate whether that it is sane by checking that intf->altsetting->extra is big enough and that descriptor bLength is not too big and not too small. Reported-by: Andrey Konovalov <[email protected]> Signed-off-by: Dmitry Torokhov <[email protected]> Cc: Ben Hutchings <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 8cf061d commit 9d65d0e

File tree

1 file changed

+14
-2
lines changed

1 file changed

+14
-2
lines changed

drivers/input/misc/ims-pcu.c

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1635,13 +1635,25 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
16351635
return NULL;
16361636
}
16371637

1638-
while (buflen > 0) {
1638+
while (buflen >= sizeof(*union_desc)) {
16391639
union_desc = (struct usb_cdc_union_desc *)buf;
16401640

1641+
if (union_desc->bLength > buflen) {
1642+
dev_err(&intf->dev, "Too large descriptor\n");
1643+
return NULL;
1644+
}
1645+
16411646
if (union_desc->bDescriptorType == USB_DT_CS_INTERFACE &&
16421647
union_desc->bDescriptorSubType == USB_CDC_UNION_TYPE) {
16431648
dev_dbg(&intf->dev, "Found union header\n");
1644-
return union_desc;
1649+
1650+
if (union_desc->bLength >= sizeof(*union_desc))
1651+
return union_desc;
1652+
1653+
dev_err(&intf->dev,
1654+
"Union descriptor to short (%d vs %zd\n)",
1655+
union_desc->bLength, sizeof(*union_desc));
1656+
return NULL;
16451657
}
16461658

16471659
buflen -= union_desc->bLength;

0 commit comments

Comments
 (0)