USB: core: only clean up what we allocated
authorAndrey Konovalov <andreyknvl@google.com>
Mon, 11 Dec 2017 21:48:41 +0000 (22:48 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 27 Mar 2019 05:13:55 +0000 (14:13 +0900)
commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3 upstream.

When cleaning up the configurations, make sure we only free the number
of configurations and interfaces that we could have allocated.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/config.c

index bd749e78df592c132c502ab8c108f6ad75459916..1a6ccdd5a5fce023452263e777eb350441d31535 100644 (file)
@@ -768,18 +768,21 @@ void usb_destroy_configuration(struct usb_device *dev)
                return;
 
        if (dev->rawdescriptors) {
-               for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
+               for (i = 0; i < dev->descriptor.bNumConfigurations &&
+                               i < USB_MAXCONFIG; i++)
                        kfree(dev->rawdescriptors[i]);
 
                kfree(dev->rawdescriptors);
                dev->rawdescriptors = NULL;
        }
 
-       for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
+       for (c = 0; c < dev->descriptor.bNumConfigurations &&
+                       c < USB_MAXCONFIG; c++) {
                struct usb_host_config *cf = &dev->config[c];
 
                kfree(cf->string);
-               for (i = 0; i < cf->desc.bNumInterfaces; i++) {
+               for (i = 0; i < cf->desc.bNumInterfaces &&
+                               i < USB_MAXINTERFACES; i++) {
                        if (cf->intf_cache[i])
                                kref_put(&cf->intf_cache[i]->ref,
                                          usb_release_interface_cache);