USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
authorAlan Stern <stern@rowland.harvard.edu>
Wed, 18 Oct 2017 16:49:38 +0000 (12:49 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Oct 2017 08:23:15 +0000 (10:23 +0200)
commit9dff499d822660c6dbb2a407a7d85be26f87da07
tree638cc417cab90c08352f7a3298259063f7ea84d5
parentabe43c97cae28a0b06f632e2fbadd0c20b8cca5e
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()

commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.

Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor().  The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.

This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/config.c