USB: gadget: validate interface OS descriptor requests

commit 75e5b48 upstream. Stall the control endpoint in case provided index exceeds array size of MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xanmod · Feb 16, 2022 · 3e33e5c · 3e33e5c
1 parent d3d5bfb
commit 3e33e5c
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
@@ -1975,6 +1975,9 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
 				if (w_index != 0x5 || (w_value >> 8))
 					break;
 				interface = w_value & 0xFF;
+				if (interface >= MAX_CONFIG_INTERFACES ||
+				    !os_desc_cfg->interface[interface])
+					break;
 				buf[6] = w_index;
 				count = count_ext_prop(os_desc_cfg,
 					interface);