git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Kelvin Mbogo <addcontent08@gmail.com>
	Wed, 25 Mar 2026 10:36:39 +0000 (13:36 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 2 Apr 2026 07:52:51 +0000 (09:52 +0200)
commit	591c1d972d8f19862ecd7279c7ef4df48b0a9b33
tree	87fec5835104bfc30e35251d01bd9568ee767cf5	tree \| snapshot
parent	1897852293faca4c2be51e0a19f739622f771623	commit \| diff

usb: usbip: validate iso frame actual_length in usbip_recv_iso()

usbip_recv_iso() sums each frame's actual_length into an int
accumulator without checking the individual values first:

total_length += urb->iso_frame_desc[i].actual_length;

A malicious server can send actual_length = 0xFFFFFFFC for one frame
and a small value for the other, making the signed sum wrap around to
match urb->actual_length. The sanity check passes, and usbip_pad_iso()
later computes a negative actualoffset, feeding it to memmove() as a
source pointer - reads before the allocation, leaked to userspace via
USBDEVFS_REAPURB.

Reject any frame whose actual_length exceeds transfer_buffer_length
(one frame can't carry more data than the whole buffer), and widen the
accumulator to u32 so that many moderately-large frames can't wrap it
either.

Signed-off-by: Kelvin Mbogo <addcontent08@gmail.com>
Link: https://patch.msgid.link/20260325103640.8090-2-addcontent08@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>