usb: core: config: Prevent OOB read in SS endpoint companion parsing

usb_parse_ss_endpoint_companion() checks descriptor type before length,
enabling a potentially odd read outside of the buffer size.

Fix this up by checking the size first before looking at any of the
fields in the descriptor.

Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index fc0cfd94cbab22b642024924c9196455eb7602e3..42468bbeffd229c9e87996ec6bf5688a39f87284 100644 (file)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -107,8 +107,14 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno,
         */
        desc = (struct usb_ss_ep_comp_descriptor *) buffer;
 
-       if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP ||
-                       size < USB_DT_SS_EP_COMP_SIZE) {
+       if (size < USB_DT_SS_EP_COMP_SIZE) {
+               dev_notice(ddev,
+                          "invalid SuperSpeed endpoint companion descriptor "
+                          "of length %d, skipping\n", size);
+               return;
+       }
+
+       if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP) {
                dev_notice(ddev, "No SuperSpeed endpoint companion for config %d "
                                " interface %d altsetting %d ep %d: "
                                "using minimum values\n",