Commit 54364278 authored by Oliver Neukum's avatar Oliver Neukum Committed by Greg Kroah-Hartman
Browse files

USB: CDC: fix sanity checks in CDC union parser

A few checks checked for the size of the pointer to a structure
instead of the structure itself. Copy & paste issue presumably.

Fixes: e4c6fb77

 ("usbnet: move the CDC parser into USB core")
Cc: stable <stable@vger.kernel.org>
Reported-by: syzbot+45a53506b65321c1fe91@syzkaller.appspotmail.com
Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190813093541.18889-1-oneukum@suse.com

Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent c52873e5
...@@ -2218,14 +2218,14 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, ...@@ -2218,14 +2218,14 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
(struct usb_cdc_dmm_desc *)buffer; (struct usb_cdc_dmm_desc *)buffer;
break; break;
case USB_CDC_MDLM_TYPE: case USB_CDC_MDLM_TYPE:
if (elength < sizeof(struct usb_cdc_mdlm_desc *)) if (elength < sizeof(struct usb_cdc_mdlm_desc))
goto next_desc; goto next_desc;
if (desc) if (desc)
return -EINVAL; return -EINVAL;
desc = (struct usb_cdc_mdlm_desc *)buffer; desc = (struct usb_cdc_mdlm_desc *)buffer;
break; break;
case USB_CDC_MDLM_DETAIL_TYPE: case USB_CDC_MDLM_DETAIL_TYPE:
if (elength < sizeof(struct usb_cdc_mdlm_detail_desc *)) if (elength < sizeof(struct usb_cdc_mdlm_detail_desc))
goto next_desc; goto next_desc;
if (detail) if (detail)
return -EINVAL; return -EINVAL;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment