Also verify transfer directions match what is expected for the operation
type. Addresses memory corruption and disclosure vulnerability
CVE-2022-2347.

Signed-off-by: Sultan Qasim Khan <sultan.qasimk...@nccgroup.com>
---
 drivers/usb/gadget/f_dfu.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
index e9340ff5cb..4a7057c529 100644
--- a/drivers/usb/gadget/f_dfu.c
+++ b/drivers/usb/gadget/f_dfu.c
@@ -323,7 +323,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
 
        switch (ctrl->bRequest) {
        case USB_REQ_DFU_DNLOAD:
-               if (len == 0) {
+               if (len == 0 || len > DFU_USB_BUFSIZ || (ctrl->bRequestType & 
USB_DIR_IN)) {
                        f_dfu->dfu_state = DFU_STATE_dfuERROR;
                        value = RET_STALL;
                        break;
@@ -333,6 +333,11 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
                value = handle_dnload(gadget, len);
                break;
        case USB_REQ_DFU_UPLOAD:
+               if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) 
!= USB_DIR_IN) {
+                       f_dfu->dfu_state = DFU_STATE_dfuERROR;
+                       value = RET_STALL;
+                       break;
+               }
                f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
                f_dfu->blk_seq_num = 0;
                value = handle_upload(req, len);
@@ -428,6 +433,11 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
 
        switch (ctrl->bRequest) {
        case USB_REQ_DFU_DNLOAD:
+               if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) {
+                       f_dfu->dfu_state = DFU_STATE_dfuERROR;
+                       value = RET_STALL;
+                       break;
+               }
                f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
                f_dfu->blk_seq_num = w_value;
                value = handle_dnload(gadget, len);
@@ -515,6 +525,11 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
 
        switch (ctrl->bRequest) {
        case USB_REQ_DFU_UPLOAD:
+               if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) 
!= USB_DIR_IN) {
+                       f_dfu->dfu_state = DFU_STATE_dfuERROR;
+                       value = RET_STALL;
+                       break;
+               }
                /* state transition if less data then requested */
                f_dfu->blk_seq_num = w_value;
                value = handle_upload(req, len);
-- 
2.31.1

Reply via email to