USB: usbfs: Filter flags passed in from user space

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
Improve sanity checking.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Oliver Neukum and committed by

Greg Kroah-Hartman 8 years ago 446f666d a7c42106

+9 -5

1 changed file

expand all

drivers

usb

core

devio.c

+9 -5

drivers/usb/core/devio.c

··· 1442 1442 int number_of_packets = 0; 1443 1443 unsigned int stream_id = 0; 1444 1444 void *buf; 1445 - 1446 - if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP | 1447 - USBDEVFS_URB_SHORT_NOT_OK | 1445 + unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | 1448 1446 USBDEVFS_URB_BULK_CONTINUATION | 1449 1447 USBDEVFS_URB_NO_FSBR | 1450 1448 USBDEVFS_URB_ZERO_PACKET | 1451 - USBDEVFS_URB_NO_INTERRUPT)) 1452 - return -EINVAL; 1449 + USBDEVFS_URB_NO_INTERRUPT; 1450 + /* USBDEVFS_URB_ISO_ASAP is a special case */ 1451 + if (uurb->type == USBDEVFS_URB_TYPE_ISO) 1452 + mask |= USBDEVFS_URB_ISO_ASAP; 1453 + 1454 + if (uurb->flags & ~mask) 1455 + return -EINVAL; 1456 + 1453 1457 if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) 1454 1458 return -EINVAL; 1455 1459 if (uurb->buffer_length > 0 && !uurb->buffer)