Re: [PATCH] USB: core: Avoid WARNings for 0-length descriptor requests
From: Johan Hovold <johan@kernel.org>
Date: 2021-06-07 07:57:48
On Fri, Jun 04, 2021 at 12:10:39PM -0400, Alan Stern wrote:
quoted hunk ↗ jump to hunk
The USB core has utility routines to retrieve various types of descriptors. These routines will now provoke a WARN if they are asked to retrieve 0 bytes (USB "receive" requests must not have zero length), so avert this by checking the size argument at the start. Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: Johan Hovold <johan@kernel.org> --- [as1962] drivers/usb/core/message.c | 4 ++++ 1 file changed, 4 insertions(+) Index: usb-devel/drivers/usb/core/message.c ===================================================================--- usb-devel.orig/drivers/usb/core/message.c +++ usb-devel/drivers/usb/core/message.c@@ -783,6 +783,8 @@ int usb_get_descriptor(struct usb_device int i; int result; + if (size <= 0) /* No point in asking for no data */ + return -EINVAL;
I'd put a newline after the sanity checks as Peter suggested too, but looks good otherwise so either way: Reviewed-by: Johan Hovold <johan@kernel.org>
quoted hunk ↗ jump to hunk
memset(buf, 0, size); /* Make sure we parse really received data */ for (i = 0; i < 3; ++i) {@@ -832,6 +834,8 @@ static int usb_get_string(struct usb_dev int i; int result; + if (size <= 0) /* No point in asking for no data */ + return -EINVAL; for (i = 0; i < 3; ++i) { /* retry on length 0 or stall; some devices are flakey */ result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
Johan