[src/netbsd-7]: src/sys/dev/usb Pull up following revision(s) (requested by k...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9f3e43b211ee
branches:  netbsd-7
changeset: 800383:9f3e43b211ee
user:      snj <snj%NetBSD.org@localhost>
date:      Wed Jan 03 21:18:03 2018 +0000

description:
Pull up following revision(s) (requested by khorben in ticket #1541):
        sys/dev/usb/usb_subr.c: revision 1.222
Be more defensive towards malicious USB devices
This avoids potential panics due to 0-sized memory allocation attempts,
which could be triggered by malicious USB devices.
Tested on NetBSD/amd64 with a Sony Xperia X (SailfishOS).
Based on an initial patch by Nick Hudson <skrll%NetBSD.org@localhost>, thanks!
Fixes PR kern/52383.

diffstat:

 sys/dev/usb/usb_subr.c |  18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diffs (53 lines):

diff -r 35d4c1d47954 -r 9f3e43b211ee sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c    Wed Jan 03 21:11:40 2018 +0000
+++ b/sys/dev/usb/usb_subr.c    Wed Jan 03 21:18:03 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usb_subr.c,v 1.196.4.3 2017/04/05 19:54:20 snj Exp $   */
+/*     $NetBSD: usb_subr.c,v 1.196.4.4 2018/01/03 21:18:03 snj Exp $   */
 /*     $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $   */
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.196.4.3 2017/04/05 19:54:20 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.196.4.4 2018/01/03 21:18:03 snj Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -644,6 +644,10 @@
                return err;
        }
        len = UGETW(cd.wTotalLength);
+       if (len == 0) {
+               DPRINTF("empty short descriptor", 0, 0, 0, 0);
+               return USBD_INVAL;
+       }
        cdp = kmem_alloc(len, KM_SLEEP);
        if (cdp == NULL)
                return USBD_NOMEM;
@@ -672,6 +676,11 @@
                err = usbd_get_bos_desc(dev, index, &bd);
                if (!err) {
                        int blen = UGETW(bd.wTotalLength);
+                       if (blen == 0) {
+                               DPRINTF("empty bos descriptor", 0, 0, 0, 0);
+                               err = USBD_INVAL;
+                               goto bad;
+                       }
                        bdp = kmem_alloc(blen, KM_SLEEP);
                        if (bdp == NULL) {
                                err = USBD_NOMEM;
@@ -765,6 +774,11 @@
 
        /* Allocate and fill interface data. */
        nifc = cdp->bNumInterface;
+       if (nifc == 0) {
+               DPRINTF("no interfaces", 0, 0, 0, 0);
+               err = USBD_INVAL;
+               goto bad;
+       }
        dev->ud_ifaces = kmem_alloc(nifc * sizeof(struct usbd_interface),
            KM_SLEEP);
        if (dev->ud_ifaces == NULL) {