]> asedeno.scripts.mit.edu Git - linux.git/blobdiff - drivers/usb/core/config.c
projects / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
[linux.git] / drivers / usb / core / config.c
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 68b54bd88d1eb009eddac3132402717a9c25f580..883549ee946cb5e206623bfc79d199620078a6bb 100644 (file)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -960,10 +960,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
        for (i = 0; i < num; i++) {
                buffer += length;
                cap = (struct usb_dev_cap_header *)buffer;
-               length = cap->bLength;
 
-               if (total_len < length)
+               if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+                       dev->bos->desc->bNumDeviceCaps = i;
                        break;
+               }
+               length = cap->bLength;
                total_len -= length;
 
                if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
local clone of linux.git