BACKPORT: USB: core: harden cdc_parse_cdc_header - xavi/android_kernel_m2note - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Marissa Wall <marissaw@google.com>	2017-11-16 14:32:40 -0800
committer	Moyster <oysterized@gmail.com>	2018-05-16 13:09:07 +0200
commit	67d144f83962dd0094fe022d45e4913c611658b7 (patch)
tree	f2177c3e189f768614cc199aea8057d2da163c3e /include/linux
parent	c8ef0fa630d3ad30d75fc03f850ad5a0c345ef69 (diff)

BACKPORT: USB: core: harden cdc_parse_cdc_header

Andrey Konovalov reported a possible out-of-bounds problem for the cdc_parse_cdc_header function. He writes: It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0). So fix this issue up by properly validating the buffer length matches what the descriptor says it is. (cherry picked from commit 2e1c42391ff2556387b3cb6308b24f6f65619feb) (The original patch fixed the generic cdc_parser_cdc_header function. That generic function did not exist in 3.10 but there are a couple cdc parsers that suffer from the same underlying problem.) Bug: 69052594 Change-Id: Ib251469de39e51b0ed7c1a1b88873270afccd90f Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Marissa Wall <marissaw@google.com>

Diffstat (limited to 'include/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: