USB: validate wMaxPacketValue entries in endpoint descriptors
authorAlan Stern <stern@rowland.harvard.edu>
Mon, 1 Aug 2016 19:25:56 +0000 (15:25 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 7 Sep 2016 06:32:39 +0000 (08:32 +0200)
commit391738b9a371412a3c394975f18696d908971b69
treeff2406b5a08bc73b9035553cd387bd08685c2d6e
parent365a5f484c89142aceee3e9ff2968c8c017a3abf
USB: validate wMaxPacketValue entries in endpoint descriptors

commit aed9d65ac3278d4febd8665bd7db59ef53e825fe upstream.

Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values.  This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.

This issue was first discovered and tests were conducted by Jake Lamberson
<jake.lamberson1@gmail.com>, an intern working for Rosie Hall.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: roswest <roswest@cisco.com>
Tested-by: roswest <roswest@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/config.c