USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()

Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor().  The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.

This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.

Change-Id: I4dcdbd4d5be97a01a6c3bf9020985c7979c04f29
Git-commit: 1c0edc3633b56000e18d82fc241e3995ca18a69e
Git-repo: https://github.com/torvalds/linux
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 6b3ca727f35..98a87503378 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -828,10 +828,12 @@ int usb_get_bos_descriptor(struct usb_device *dev)
 	for (i = 0; i < num; i++) {
 		buffer += length;
 		cap = (struct usb_dev_cap_header *)buffer;
-		length = cap->bLength;
 
-		if (total_len < length)
+		if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+			dev->bos->desc->bNumDeviceCaps = i;
 			break;
+		}
+		length = cap->bLength;
 		total_len -= length;
 
 		if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {