• Malte Leip's avatar
    usb: usbip: fix isoc packet num validation in get_pipe · c409ca3b
    Malte Leip authored
    Change the validation of number_of_packets in get_pipe to compare the
    number of packets to a fixed maximum number of packets allowed, set to
    be 1024. This number was chosen due to it being used by other drivers as
    well, for example drivers/usb/host/uhci-q.c
    
    Background/reason:
    The get_pipe function in stub_rx.c validates the number of packets in
    isochronous mode and aborts with an error if that number is too large,
    in order to prevent malicious input from possibly triggering large
    memory allocations. This was previously done by checking whether
    pdu->u.cmd_submit.number_of_packets is bigger than the number of packets
    that would be needed for pdu->u.cmd_submit.transfer_buffer_length bytes
    if all except possibly the last packet had maximum length, given by
    usb_endpoint_maxp(epd) *  usb_endpoint_maxp_mult(epd). This leads to an
    error if URBs with packets shorter than the maximum possible length are
    submitted, which is allowed according to
    Documentation/driver-api/usb/URB.rst and occurs for example with the
    snd-usb-audio driver.
    
    Fixes: c6688ef9 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input")
    Signed-off-by: default avatarMalte Leip <malte@leip.net>
    Cc: stable <stable@vger.kernel.org>
    Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    c409ca3b
usbip_common.h 10.1 KB