www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Alan Stern <stern@rowland.harvard.edu>
	Wed, 18 Oct 2017 16:49:38 +0000 (12:49 -0400)
committer	Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
	Wed, 6 Dec 2017 18:05:45 +0000 (10:05 -0800)
commit	34955d63c179ec178c73aaf53c51b7f29456b2ac
tree	939d6dba743aca1dd94c670dded2df68ea875cc4	tree
parent	6ab2d4c269b62650b44f0da909086981ad36da85	commit \| diff

USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()

Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor(). The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.

This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 1c0edc3633b56000e18d82fc241e3995ca18a69e)

Orabug: 27207955
CVE: CVE-2017-16535

Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>