usb: cdc-acm: Fix handling of oversized fragments

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If we receive an initial fragment of size 8 bytes which specifies a wLength
of 1 byte (so the reassembled message is supposed to be 9 bytes long), and
we then receive a second fragment of size 9 bytes (which is not supposed to
happen), we currently wrongly bypass the fragment reassembly code but still
pass the pointer to the acm->notification_buffer to
acm_process_notification().

Make this less wrong by always going through fragment reassembly when we
expect more fragments.

Before this patch, receiving an overlong fragment could lead to `newctrl`
in acm_process_notification() being uninitialized data (instead of data
coming from the device).

Cc: stable <stable@kernel.org>
Fixes: ea2583529cd1 ("cdc-acm: reassemble fragmented notifications")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Jann Horn and committed by

Greg Kroah-Hartman 1 year ago 12e71296 e563b012

+1 -1

1 changed file

expand all

drivers

usb

class

cdc-acm.c

+1 -1

drivers/usb/class/cdc-acm.c

··· 416 416 expected_size = sizeof(struct usb_cdc_notification) + 417 417 le16_to_cpu(dr->wLength); 418 418 419 - if (current_size < expected_size) { 419 + if (acm->nb_index != 0 || current_size < expected_size) { 420 420 /* notification is transmitted fragmented, reassemble */ 421 421 if (acm->nb_size < expected_size) { 422 422 u8 *new_buffer;