Module Name: src
Committed By: maxv
Date: Sat Jul 6 05:05:53 UTC 2019
Modified Files:
src/sys/dev/usb: usb_subr.c
Log Message:
Fix two length checks, otherwise a malicious USB key plugged in the
system could trigger overflows, seen with KASAN.
To generate a diff of this commit:
cvs rdiff -u -r1.230 -r1.231 src/sys/dev/usb/usb_subr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/usb_subr.c
diff -u src/sys/dev/usb/usb_subr.c:1.230 src/sys/dev/usb/usb_subr.c:1.231
--- src/sys/dev/usb/usb_subr.c:1.230 Tue Feb 12 14:17:44 2019
+++ src/sys/dev/usb/usb_subr.c Sat Jul 6 05:05:53 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: usb_subr.c,v 1.230 2019/02/12 14:17:44 rin Exp $ */
+/* $NetBSD: usb_subr.c,v 1.231 2019/07/06 05:05:53 maxv Exp $ */
/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.230 2019/02/12 14:17:44 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.231 2019/07/06 05:05:53 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -366,8 +366,8 @@ usbd_find_idesc(usb_config_descriptor_t
altidx, curaidx);
DPRINTFN(4, "len=%jd type=%jd", d->bLength, d->bDescriptorType,
0, 0);
- if (d->bLength == 0) /* bad descriptor */
- break;
+ if (d->bLength < USB_INTERFACE_DESCRIPTOR_SIZE)
+ break; /* bad descriptor */
p += d->bLength;
if (p <= end && d->bDescriptorType == UDESC_INTERFACE) {
if (d->bInterfaceNumber != lastidx) {
@@ -402,8 +402,8 @@ usbd_find_edesc(usb_config_descriptor_t
curidx = -1;
for (p = (char *)d + d->bLength; p < end; ) {
e = (usb_endpoint_descriptor_t *)p;
- if (e->bLength == 0) /* bad descriptor */
- break;
+ if (e->bLength < USB_ENDPOINT_DESCRIPTOR_SIZE)
+ break; /* bad descriptor */
p += e->bLength;
if (p <= end && e->bDescriptorType == UDESC_INTERFACE)
return NULL;
