Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/usb Fix two length checks, otherwise a malicious USB...
details: https://anonhg.NetBSD.org/src/rev/1e405b2257bb
branches: trunk
changeset: 457599:1e405b2257bb
user: maxv <maxv%NetBSD.org@localhost>
date: Sat Jul 06 05:05:53 2019 +0000
description:
Fix two length checks, otherwise a malicious USB key plugged in the
system could trigger overflows, seen with KASAN.
diffstat:
sys/dev/usb/usb_subr.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diffs (40 lines):
diff -r 4c68fc929ace -r 1e405b2257bb sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c Sat Jul 06 00:45:02 2019 +0000
+++ b/sys/dev/usb/usb_subr.c Sat Jul 06 05:05:53 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: usb_subr.c,v 1.230 2019/02/12 14:17:44 rin Exp $ */
+/* $NetBSD: usb_subr.c,v 1.231 2019/07/06 05:05:53 maxv Exp $ */
/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.230 2019/02/12 14:17:44 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.231 2019/07/06 05:05:53 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_compat_netbsd.h"
@@ -366,8 +366,8 @@
altidx, curaidx);
DPRINTFN(4, "len=%jd type=%jd", d->bLength, d->bDescriptorType,
0, 0);
- if (d->bLength == 0) /* bad descriptor */
- break;
+ if (d->bLength < USB_INTERFACE_DESCRIPTOR_SIZE)
+ break; /* bad descriptor */
p += d->bLength;
if (p <= end && d->bDescriptorType == UDESC_INTERFACE) {
if (d->bInterfaceNumber != lastidx) {
@@ -402,8 +402,8 @@
curidx = -1;
for (p = (char *)d + d->bLength; p < end; ) {
e = (usb_endpoint_descriptor_t *)p;
- if (e->bLength == 0) /* bad descriptor */
- break;
+ if (e->bLength < USB_ENDPOINT_DESCRIPTOR_SIZE)
+ break; /* bad descriptor */
p += e->bLength;
if (p <= end && e->bDescriptorType == UDESC_INTERFACE)
return NULL;
Home |
Main Index |
Thread Index |
Old Index