USB: validate wMaxPacketValue entries in endpoint descriptors
authorAlan Stern <stern@rowland.harvard.edu>
Mon, 1 Aug 2016 19:25:56 +0000 (15:25 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 9 Aug 2016 14:14:18 +0000 (16:14 +0200)
commitaed9d65ac3278d4febd8665bd7db59ef53e825fe
treef9a3decc5f7b42dc3b12e34b3fac1c20c3cbe713
parent9c6256a5e707a9eb8b91962b550050b13aa75334
USB: validate wMaxPacketValue entries in endpoint descriptors

Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values.  This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.

This issue was first discovered and tests were conducted by Jake Lamberson
<jake.lamberson1@gmail.com>, an intern working for Rosie Hall.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: roswest <roswest@cisco.com>
Tested-by: roswest <roswest@cisco.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/config.c