diff options
author | Alan Stern <stern@rowland.harvard.edu> | 2017-12-12 14:25:13 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-12-20 10:10:18 +0100 |
commit | 4c5ae6a301a5415d1334f6c655bebf91d475bd89 (patch) | |
tree | d44a91dcdbfad973d3273eb4a3f20bf1ec3c005c /fs | |
parent | 6391294874d505a5e8681c41439a74e7019b267f (diff) | |
download | linux-stable-4c5ae6a301a5415d1334f6c655bebf91d475bd89.tar.gz linux-stable-4c5ae6a301a5415d1334f6c655bebf91d475bd89.tar.bz2 linux-stable-4c5ae6a301a5415d1334f6c655bebf91d475bd89.zip |
USB: core: prevent malicious bNumInterfaces overflow
commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
A malicious USB device with crafted descriptors can cause the kernel
to access unallocated memory by setting the bNumInterfaces value too
high in a configuration descriptor. Although the value is adjusted
during parsing, this adjustment is skipped in one of the error return
paths.
This patch prevents the problem by setting bNumInterfaces to 0
initially. The existing code already sets it to the proper value
after parsing is complete.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
0 files changed, 0 insertions, 0 deletions