CVS commit: [netbsd-8] src/sys/dev/usb

Thu, 21 Dec 2017 13:33:05 -0800 

Module Name:    src
Committed By:   snj
Date:           Thu Dec 21 21:32:10 UTC 2017

Modified Files:
        src/sys/dev/usb [netbsd-8]: usb_subr.c

Log Message:
Pull up following revision(s) (requested by khorben in ticket #447):
        sys/dev/usb/usb_subr.c: revision 1.222
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <[email protected]>, thanks!
Fixes PR kern/52383.


To generate a diff of this commit:
cvs rdiff -u -r1.220.2.1 -r1.220.2.2 src/sys/dev/usb/usb_subr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/usb/usb_subr.c
diff -u src/sys/dev/usb/usb_subr.c:1.220.2.1 src/sys/dev/usb/usb_subr.c:1.220.2.2
--- src/sys/dev/usb/usb_subr.c:1.220.2.1	Thu Nov  2 21:29:52 2017
+++ src/sys/dev/usb/usb_subr.c	Thu Dec 21 21:32:10 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: usb_subr.c,v 1.220.2.1 2017/11/02 21:29:52 snj Exp $	*/
+/*	$NetBSD: usb_subr.c,v 1.220.2.2 2017/12/21 21:32:10 snj Exp $	*/
 /*	$FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $	*/
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.220.2.1 2017/11/02 21:29:52 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.220.2.2 2017/12/21 21:32:10 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -609,6 +609,10 @@ usbd_set_config_index(struct usbd_device
 		return err;
 	}
 	len = UGETW(cd.wTotalLength);
+	if (len == 0) {
+		DPRINTF("empty short descriptor", 0, 0, 0, 0);
+		return USBD_INVAL;
+	}
 	cdp = kmem_alloc(len, KM_SLEEP);
 
 	/* Get the full descriptor.  Try a few times for slow devices. */
@@ -635,6 +639,11 @@ usbd_set_config_index(struct usbd_device
 		err = usbd_get_bos_desc(dev, index, &bd);
 		if (!err) {
 			int blen = UGETW(bd.wTotalLength);
+			if (blen == 0) {
+				DPRINTF("empty bos descriptor", 0, 0, 0, 0);
+				err = USBD_INVAL;
+				goto bad;
+			}
 			bdp = kmem_alloc(blen, KM_SLEEP);
 
 			/* Get the full desc */
@@ -724,6 +733,11 @@ usbd_set_config_index(struct usbd_device
 
 	/* Allocate and fill interface data. */
 	nifc = cdp->bNumInterface;
+	if (nifc == 0) {
+		DPRINTF("no interfaces", 0, 0, 0, 0);
+		err = USBD_INVAL;
+		goto bad;
+	}
 	dev->ud_ifaces = kmem_alloc(nifc * sizeof(struct usbd_interface),
 	    KM_SLEEP);
 	DPRINTFN(5, "dev=%#jx cdesc=%#jx", (uintptr_t)dev, (uintptr_t)cdp,

Reply via email to