Commit c5922c99 authored by Johan Hovold's avatar Johan Hovold Committed by Sasha Levin

USB: hub: fix SS hub-descriptor handling

[ Upstream commit 2c25a2c8 ]

A SuperSpeed hub descriptor does not have any variable-length fields so
bail out when reading a short descriptor.

This avoids parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes.

Fixes: dbe79bbe ("USB 3.0 Hub Changes")
Cc: stable <stable@vger.kernel.org>     # 2.6.39
Cc: John Youn <John.Youn@synopsys.com>
Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
parent de90980c
...@@ -377,9 +377,13 @@ static int get_hub_descriptor(struct usb_device *hdev, void *data) ...@@ -377,9 +377,13 @@ static int get_hub_descriptor(struct usb_device *hdev, void *data)
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB, USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
dtype << 8, 0, data, size, dtype << 8, 0, data, size,
USB_CTRL_GET_TIMEOUT); USB_CTRL_GET_TIMEOUT);
if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) if (hub_is_superspeed(hdev)) {
if (ret == size)
return ret;
} else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
return ret; return ret;
} }
}
return -EINVAL; return -EINVAL;
} }
...@@ -1331,7 +1335,7 @@ static int hub_configure(struct usb_hub *hub, ...@@ -1331,7 +1335,7 @@ static int hub_configure(struct usb_hub *hub,
/* Request the entire hub descriptor. /* Request the entire hub descriptor.
* hub->descriptor can handle USB_MAXCHILDREN ports, * hub->descriptor can handle USB_MAXCHILDREN ports,
* but the hub can/will return fewer bytes here. * but a (non-SS) hub can/will return fewer bytes here.
*/ */
ret = get_hub_descriptor(hdev, hub->descriptor); ret = get_hub_descriptor(hdev, hub->descriptor);
if (ret < 0) { if (ret < 0) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment