diff options
| author | Shuah Khan <shuahkh@osg.samsung.com> | 2017-12-22 19:23:46 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-01-17 09:38:56 +0100 |
| commit | 86c8d58fc7538d0f44367f49d24568e925049c0d (patch) | |
| tree | 610d4f360a27fd88cb7159e2f311f203cde0a9c9 /drivers/usb/usbip | |
| parent | 6851ec74bfe44e8aa568fd00603759c4a2918752 (diff) | |
| download | linux-stable-86c8d58fc7538d0f44367f49d24568e925049c0d.tar.gz linux-stable-86c8d58fc7538d0f44367f49d24568e925049c0d.tar.bz2 linux-stable-86c8d58fc7538d0f44367f49d24568e925049c0d.zip | |
usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input
commit b78d830f0049ef1966dc1e0ebd1ec2a594e2cf25 upstream.
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/usbip')
| -rw-r--r-- | drivers/usb/usbip/vudc_rx.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/drivers/usb/usbip/vudc_rx.c b/drivers/usb/usbip/vudc_rx.c index e429b59f6f8a..d020e72b3122 100644 --- a/drivers/usb/usbip/vudc_rx.c +++ b/drivers/usb/usbip/vudc_rx.c @@ -132,6 +132,25 @@ static int v_recv_cmd_submit(struct vudc *udc, urb_p->new = 1; urb_p->seqnum = pdu->base.seqnum; + if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) { + /* validate packet size and number of packets */ + unsigned int maxp, packets, bytes; + + maxp = usb_endpoint_maxp(urb_p->ep->desc); + maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc); + bytes = pdu->u.cmd_submit.transfer_buffer_length; + packets = DIV_ROUND_UP(bytes, maxp); + + if (pdu->u.cmd_submit.number_of_packets < 0 || + pdu->u.cmd_submit.number_of_packets > packets) { + dev_err(&udc->gadget.dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); + ret = -EMSGSIZE; + goto free_urbp; + } + } + ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type); if (ret) { usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC); |