Commit 4a989136 authored by Tobias Herzog's avatar Tobias Herzog Committed by Greg Kroah-Hartman

cdc-acm: fix possible invalid access when processing notification

commit 1bb9914e upstream.

Notifications may only be 8 bytes long. Accessing the 9th and
10th byte of unimplemented/unknown notifications may be insecure.
Also check the length of known notifications before accessing anything
behind the 8th byte.
Signed-off-by: default avatarTobias Herzog <t-herzog@gmx.de>
Acked-by: default avatarOliver Neukum <oneukum@suse.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 603455cd
......@@ -315,6 +315,12 @@ static void acm_ctrl_irq(struct urb *urb)
break;
case USB_CDC_NOTIFY_SERIAL_STATE:
if (le16_to_cpu(dr->wLength) != 2) {
dev_dbg(&acm->control->dev,
"%s - malformed serial state\n", __func__);
break;
}
newctrl = get_unaligned_le16(data);
if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) {
......@@ -351,11 +357,10 @@ static void acm_ctrl_irq(struct urb *urb)
default:
dev_dbg(&acm->control->dev,
"%s - unknown notification %d received: index %d "
"len %d data0 %d data1 %d\n",
"%s - unknown notification %d received: index %d len %d\n",
__func__,
dr->bNotificationType, dr->wIndex,
dr->wLength, data[0], data[1]);
dr->bNotificationType, dr->wIndex, dr->wLength);
break;
}
exit:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment