| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| Thu, 21 Sep 2017 14:58:48 +0000 (16:58 +0200) | ||
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| Thu, 12 Oct 2017 09:27:33 +0000 (11:27 +0200) | ||
| commit | feab51a916ed07219dee38b898fe22bd2a98193a | |
| tree | e89433e978e81e8ee0d893f940c7934712c95743 | tree | snapshot (tar.xz tar.gz zip) |
| parent | 5d9a9c3dcc1f63215b5a5b877be589974ec4f31d | commit | diff |
USB: core: harden cdc_parse_cdc_header
commit 2e1c42391ff2556387b3cb6308b24f6f65619feb upstream.
Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function. He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).
So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2e1c42391ff2556387b3cb6308b24f6f65619feb upstream.
Andrey Konovalov reported a possible out-of-bounds problem for the
cdc_parse_cdc_header function. He writes:
It looks like cdc_parse_cdc_header() doesn't validate buflen
before accessing buffer[1], buffer[2] and so on. The only check
present is while (buflen > 0).
So fix this issue up by properly validating the buffer length matches
what the descriptor says it is.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| drivers/net/usb/usbnet.c | diff | blob | history |