diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-12-09 18:59:27 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-12-12 13:04:03 +0100 |
| commit | 153a2d7e3350cc89d406ba2d35be8793a64c2038 (patch) | |
| tree | a56722a96e98ca8a62d488219c7655a05acf412d /drivers/usb/gadget/legacy/dbgp.c | |
| parent | 7faac1953ed1f658f719cdf7bb7303fa5eef822c (diff) | |
| download | linux-153a2d7e3350cc89d406ba2d35be8793a64c2038.tar.gz linux-153a2d7e3350cc89d406ba2d35be8793a64c2038.tar.bz2 linux-153a2d7e3350cc89d406ba2d35be8793a64c2038.zip | |
USB: gadget: detect too-big endpoint 0 requests
Sometimes USB hosts can ask for buffers that are too large from endpoint
0, which should not be allowed. If this happens for OUT requests, stall
the endpoint, but for IN requests, trim the request size to the endpoint
buffer size.
Co-developed-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/gadget/legacy/dbgp.c')
| -rw-r--r-- | drivers/usb/gadget/legacy/dbgp.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c index e1d566c9918a..e567afcb2794 100644 --- a/drivers/usb/gadget/legacy/dbgp.c +++ b/drivers/usb/gadget/legacy/dbgp.c @@ -345,6 +345,19 @@ static int dbgp_setup(struct usb_gadget *gadget, void *data = NULL; u16 len = 0; + if (length > DBGP_REQ_LEN) { + if (ctrl->bRequestType == USB_DIR_OUT) { + return err; + } else { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(DBGP_REQ_LEN); + length = DBGP_REQ_LEN; + } + } + + if (request == USB_REQ_GET_DESCRIPTOR) { switch (value>>8) { case USB_DT_DEVICE: |