Also verify transfer directions match what is expected for the operation type. Addresses memory corruption and disclosure vulnerability CVE-2022-2347.
Signed-off-by: Sultan Qasim Khan <sultan.qasimk...@nccgroup.com> --- drivers/usb/gadget/f_dfu.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c index e9340ff5cb..4a7057c529 100644 --- a/drivers/usb/gadget/f_dfu.c +++ b/drivers/usb/gadget/f_dfu.c @@ -323,7 +323,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: - if (len == 0) { + if (len == 0 || len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) { f_dfu->dfu_state = DFU_STATE_dfuERROR; value = RET_STALL; break; @@ -333,6 +333,11 @@ static int state_dfu_idle(struct f_dfu *f_dfu, value = handle_dnload(gadget, len); break; case USB_REQ_DFU_UPLOAD: + if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) != USB_DIR_IN) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; + break; + } f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE; f_dfu->blk_seq_num = 0; value = handle_upload(req, len); @@ -428,6 +433,11 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_DNLOAD: + if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN)) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; + break; + } f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC; f_dfu->blk_seq_num = w_value; value = handle_dnload(gadget, len); @@ -515,6 +525,11 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu, switch (ctrl->bRequest) { case USB_REQ_DFU_UPLOAD: + if (len > DFU_USB_BUFSIZ || (ctrl->bRequestType & USB_DIR_IN) != USB_DIR_IN) { + f_dfu->dfu_state = DFU_STATE_dfuERROR; + value = RET_STALL; + break; + } /* state transition if less data then requested */ f_dfu->blk_seq_num = w_value; value = handle_upload(req, len); -- 2.31.1