From: Kelvin Mbogo <addcontent08@gmail.com>
To: linux-usb@vger.kernel.org
Cc: gregkh@linuxfoundation.org, skhan@linuxfoundation.org,
Kelvin Mbogo <addcontent08@gmail.com>
Subject: [PATCH v2 2/3] usb: usbip: validate iso frame actual_length in usbip_recv_iso()
Date: Wed, 25 Mar 2026 13:36:39 +0300 [thread overview]
Message-ID: <20260325103640.8090-2-addcontent08@gmail.com> (raw)
In-Reply-To: <20260325103640.8090-1-addcontent08@gmail.com>
usbip_recv_iso() sums each frame's actual_length into an int
accumulator without checking the individual values first:
total_length += urb->iso_frame_desc[i].actual_length;
A malicious server can send actual_length = 0xFFFFFFFC for one frame
and a small value for the other, making the signed sum wrap around to
match urb->actual_length. The sanity check passes, and usbip_pad_iso()
later computes a negative actualoffset, feeding it to memmove() as a
source pointer - reads before the allocation, leaked to userspace via
USBDEVFS_REAPURB.
Reject any frame whose actual_length exceeds transfer_buffer_length
(one frame can't carry more data than the whole buffer), and widen the
accumulator to u32 so that many moderately-large frames can't wrap it
either.
Signed-off-by: Kelvin Mbogo <addcontent08@gmail.com>
---
drivers/usb/usbip/usbip_common.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index 8b6eb74..fd620e9 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -665,7 +665,7 @@ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb)
int size;
int i;
int ret;
- int total_length = 0;
+ u32 total_length = 0;
if (!usb_pipeisoc(urb->pipe))
return 0;
@@ -706,14 +706,23 @@ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb)
for (i = 0; i < np; i++) {
usbip_iso_packet_correct_endian(&iso[i], 0);
usbip_pack_iso(&iso[i], &urb->iso_frame_desc[i], 0);
+ if (urb->iso_frame_desc[i].actual_length >
+ (unsigned int)urb->transfer_buffer_length) {
+ dev_err(&urb->dev->dev,
+ "recv iso: frame actual_length %u exceeds buffer %d\n",
+ urb->iso_frame_desc[i].actual_length,
+ urb->transfer_buffer_length);
+ kfree(buff);
+ return -EPROTO;
+ }
total_length += urb->iso_frame_desc[i].actual_length;
}
kfree(buff);
- if (total_length != urb->actual_length) {
+ if (total_length != (u32)urb->actual_length) {
dev_err(&urb->dev->dev,
- "total length of iso packets %d not equal to actual length of buffer %d\n",
+ "total length of iso packets %u not equal to actual length of buffer %d\n",
total_length, urb->actual_length);
if (ud->side == USBIP_STUB || ud->side == USBIP_VUDC)
--
2.34.1
next prev parent reply other threads:[~2026-03-25 10:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 10:36 [PATCH v2 1/3] usb: usbip: fix integer overflow in usbip_recv_iso() Kelvin Mbogo
2026-03-25 10:36 ` Kelvin Mbogo [this message]
2026-03-25 10:36 ` [PATCH v2 3/3] usb: usbip: fix OOB read/write in usbip_pad_iso() Kelvin Mbogo
2026-03-25 10:42 ` [PATCH v2 1/3] usb: usbip: fix integer overflow in usbip_recv_iso() Greg KH
-- strict thread matches above, loose matches on Subject: below --
2026-03-25 10:48 Kelvin Mbogo
2026-03-25 10:48 ` [PATCH v2 2/3] usb: usbip: validate iso frame actual_length " Kelvin Mbogo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260325103640.8090-2-addcontent08@gmail.com \
--to=addcontent08@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-usb@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.