]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
usb: core: config: Prevent OOB read in SS endpoint companion parsing
authorXinyu Liu <katieeliu@tencent.com>
Mon, 30 Jun 2025 02:02:56 +0000 (10:02 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 28 Aug 2025 14:28:31 +0000 (16:28 +0200)
commit5badd56c711e2c8371d1670f9bd486697575423c
tree9deae76d57e7dc10ed23b2927a8ba3d0b8a7a961
parent492207cf8372f558f5ef31db3e737df9097fa99b
usb: core: config: Prevent OOB read in SS endpoint companion parsing

commit cf16f408364efd8a68f39011a3b073c83a03612d upstream.

usb_parse_ss_endpoint_companion() checks descriptor type before length,
enabling a potentially odd read outside of the buffer size.

Fix this up by checking the size first before looking at any of the
fields in the descriptor.

Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/core/config.c