Public bug reported: Bug #1413992 's patch introduced a possible infinite loop.
commit 0d3bba0287d4e284c3ec7d3397e81eec920d5e7e Author: Quentin Casasnovas <[email protected]> Date: Tue Apr 14 11:25:43 2015 +0200 cdc-acm: prevent infinite loop when parsing CDC headers. Phil and I found out a problem with commit: 7e860a6e7aa6 ("cdc-acm: add sanity checks") It added some sanity checks to ignore potential garbage in CDC headers but also introduced a potential infinite loop. This can happen at the first loop iteration (elength = 0 in that case) if the description isn't a DT_CS_INTERFACE or later if 'buffer[0]' is zero. It should also be noted that the wrong length was being added to 'buffer' in case 'buffer[1]' was not a DT_CS_INTERFACE descriptor, since elength was assigned after that check in the loop. A specially crafted USB device could be used to trigger this infinite loop. Fixes: 7e860a6e7aa6 ("cdc-acm: add sanity checks") Signed-off-by: Phil Turnbull <[email protected]> Signed-off-by: Quentin Casasnovas <[email protected]> CC: Sergei Shtylyov <[email protected]> CC: Oliver Neukum <[email protected]> CC: Adam Lee <[email protected]> CC: <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> ** Affects: linux (Ubuntu) Importance: High Assignee: Adam Lee (adam8157) Status: In Progress ** Affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: linux (Ubuntu Utopic) Importance: Undecided Status: New ** Affects: linux (Ubuntu Vivid) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1460657 Title: possible infinite loop when parsing CDC headers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1460657/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
