[PATCH] Prevent buffer overflow on USB control endpoint
Fabio Estevam
festevam at gmail.com
Thu Nov 17 12:50:35 CET 2022
[Adding Lukasz and Marek]
On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich
<szymon.heidrich at gmail.com> wrote:
>
> Assure that the control endpoint buffer of size USB_BUFSIZ (4096)
> can not be overflown during handling of USB control transfer
> requests with wLength greater than USB_BUFSIZ.
>
> Signed-off-by: Szymon Heidrich <szymon.heidrich at gmail.com>
> ---
> drivers/usb/gadget/composite.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
> index 2a309e624e..cb89f6dca9 100644
> --- a/drivers/usb/gadget/composite.c
> +++ b/drivers/usb/gadget/composite.c
> @@ -1019,6 +1019,17 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
> u8 endp;
> struct usb_configuration *c;
>
> + if (w_length > USB_BUFSIZ) {
> + if (ctrl->bRequestType & USB_DIR_IN) {
> + /* Cast away the const, we are going to overwrite on purpose. */
> + __le16 *temp = (__le16 *)&ctrl->wLength;
> + *temp = cpu_to_le16(USB_BUFSIZ);
> + w_length = USB_BUFSIZ;
> + } else {
> + goto done;
> + }
> + }
> +
> /*
> * partial re-init of the response message; the function or the
> * gadget might need to intercept e.g. a control-OUT completion
> --
> 2.38.1
>
More information about the U-Boot
mailing list