[PATCH] usbip: validate iso_frame_desc offset and length in usbip_recv_iso()

[Sebastian Josue Alba Vives <sebasjosue84@gmail.com>]

From: Sebastián Alba Vives <sebasjosue84@gmail.com>

usbip_recv_iso() receives isochronous packet descriptors from the
network and unpacks them into urb->iso_frame_desc[] via
usbip_pack_iso(). The offset and actual_length fields in each
descriptor come directly from the remote peer without validation.

These fields are subsequently used by usbip_pad_iso() in memmove
operations:

  memmove(urb->transfer_buffer + iso_frame_desc[i].offset,
          urb->transfer_buffer + actualoffset,
          iso_frame_desc[i].actual_length);

A malicious USB/IP server can craft iso frame descriptors with
offset and/or actual_length values exceeding the transfer buffer
bounds, causing an out-of-bounds memmove that corrupts kernel heap
memory. This is exploitable over the network without authentication.

This is a separate vulnerability from the number_of_packets
validation issue. Even with a valid number_of_packets, the
individual descriptor fields can still cause OOB access.

Add validation that each iso_frame_desc entry's offset +
actual_length falls within the transfer buffer bounds. Return
-EPROTO and trigger a connection reset if any entry is invalid.

Cc: stable@vger.kernel.org
Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com>
---
 drivers/usb/usbip/usbip_common.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index f1eeab3a5..8b6ca8f83 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -711,6 +711,34 @@ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb)
 
 	kfree(buff);
 
+	/*
+	 * Validate each iso_frame_desc entry. The offset and actual_length
+	 * come from the network and must not exceed the transfer buffer.
+	 * Without this check, a malicious server could craft iso descriptors
+	 * with out-of-bounds offset/length values, causing usbip_pad_iso()
+	 * to perform memmove operations beyond the transfer buffer, leading
+	 * to heap buffer overflow.
+	 */
+	for (i = 0; i < np; i++) {
+		unsigned int offset = urb->iso_frame_desc[i].offset;
+		unsigned int length = urb->iso_frame_desc[i].actual_length;
+
+		if (offset > urb->transfer_buffer_length ||
+		    length > urb->transfer_buffer_length - offset) {
+			dev_err(&urb->dev->dev,
+				"iso frame %d: offset %u + length %u > buffer %u\n",
+				i, offset, length,
+				urb->transfer_buffer_length);
+
+			if (ud->side == USBIP_STUB || ud->side == USBIP_VUDC)
+				usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
+			else
+				usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
+
+			return -EPROTO;
+		}
+	}
+
 	if (total_length != urb->actual_length) {
 		dev_err(&urb->dev->dev,
 			"total length of iso packets %d not equal to actual length of buffer %d\n",
-- 
2.43.0