[PATCH 4.14 49/71] USB: CDC: fix sanity checks in CDC union parser
From: Greg Kroah-Hartman
Date: Thu Aug 22 2019 - 13:26:32 EST
From: Oliver Neukum <oneukum@xxxxxxxx>
commit 54364278fb3cabdea51d6398b07c87415065b3fc upstream.
A few checks checked for the size of the pointer to a structure
instead of the structure itself. Copy & paste issue presumably.
Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
Cc: stable <stable@xxxxxxxxxxxxxxx>
Reported-by: syzbot+45a53506b65321c1fe91@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
Link: https://lore.kernel.org/r/20190813093541.18889-1-oneukum@xxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/core/message.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2143,14 +2143,14 @@ int cdc_parse_cdc_header(struct usb_cdc_
(struct usb_cdc_dmm_desc *)buffer;
break;
case USB_CDC_MDLM_TYPE:
- if (elength < sizeof(struct usb_cdc_mdlm_desc *))
+ if (elength < sizeof(struct usb_cdc_mdlm_desc))
goto next_desc;
if (desc)
return -EINVAL;
desc = (struct usb_cdc_mdlm_desc *)buffer;
break;
case USB_CDC_MDLM_DETAIL_TYPE:
- if (elength < sizeof(struct usb_cdc_mdlm_detail_desc *))
+ if (elength < sizeof(struct usb_cdc_mdlm_detail_desc))
goto next_desc;
if (detail)
return -EINVAL;