Re: [PATCH] Prevent buffer overflow on USB control endpoint

[Adding Lukasz and Marek]

On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich szymon.heidrich@gmail.com wrote:

Assure that the control endpoint buffer of size USB_BUFSIZ (4096) can not be overflown during handling of USB control transfer requests with wLength greater than USB_BUFSIZ.

Signed-off-by: Szymon Heidrich szymon.heidrich@gmail.com

drivers/usb/gadget/composite.c | 11 +++++++++++ 1 file changed, 11 insertions(+)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 2a309e624e..cb89f6dca9 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1019,6 +1019,17 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) u8 endp; struct usb_configuration *c;

•   if (w_length > USB_BUFSIZ) {
  

•           if (ctrl->bRequestType & USB_DIR_IN) {
  

•                   /* Cast away the const, we are going to overwrite on purpose. */
  

•                   __le16 *temp = (__le16 *)&ctrl->wLength;
  

•                   *temp = cpu_to_le16(USB_BUFSIZ);
  

•                   w_length = USB_BUFSIZ;
  

•           } else {
  

•                   goto done;
  

•           }
  

•   }
  

•   /*
     * partial re-init of the response message; the function or the
     * gadget might need to intercept e.g. a control-OUT completion
  

-- 2.38.1