From patchwork Thu Oct 6 17:16:10 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [hardy, CVE, 1/1] UBUNTU: SAUCE: auerswald: validate the length of USB strings Date: Thu, 06 Oct 2011 07:16:10 -0000 From: Andy Whitcroft X-Patchwork-Id: 118136 Message-Id: <1317921370-25771-2-git-send-email-apw@canonical.com> To: kernel-team@lists.ubuntu.com Cc: Andy Whitcroft When attempting to name a device we request various strings from the device. A malicious device could return very long strings triggering a buffer overflow. CVE-2009-4067 BugLink: http://bugs.launchpad.net/bugs/869195 Signed-off-by: Andy Whitcroft Acked-by: Seth Forshee --- drivers/usb/misc/auerswald.c | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c index df7e1ec..5111b80 100644 --- a/drivers/usb/misc/auerswald.c +++ b/drivers/usb/misc/auerswald.c @@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf, /* Try to get a suitable textual description of the device */ /* Device name:*/ ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1); - if (ret >= 0) { + /* + * If we were successful, and there is room remaining for a serial + * number then look it up and append it. Assume the serial number + * is at least 4 digits. + */ + if (ret >= 0 && ret < AUSI_DLEN-1-6-4) { u += ret; /* Append Serial Number */ memcpy(&cp->dev_desc[u], ",Ser# ", 6); u += 6; ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1); - if (ret >= 0) { + /* + * If we were successful and there is room remaining for + * the subscriber prefix then look it up and append it. + * Assume the subscriber number is at least 1 digit. + */ + if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) { u += ret; /* Append subscriber number */ memcpy(&cp->dev_desc[u], ", ", 2);