All of
 help / color / mirror / Atom feed
From: Alan Stern <>
To: Greg KH <>
Cc: Johan Hovold <>,
	USB mailing list <>
Subject: [PATCH] USB: core: Check buffer length matches wLength for control transfers
Date: Wed, 26 May 2021 11:32:44 -0400	[thread overview]
Message-ID: <> (raw)

A type of inconsistency that can show up in control URBs is when the
setup packet's wLength value does not match the URB's
transfer_buffer_length field.  The two should always be equal;
differences could lead to information leaks or undefined behavior for
OUT transfers or overruns for IN transfers.

This patch adds a test for such mismatches during URB submission.  If
the test fails, the submission is rejected with a -EBADR error code
(which is not used elsewhere in the USB core), and a debugging message
is logged for people interested in tracking down these errors.

Signed-off-by: Alan Stern <>
CC: Johan Hovold <>



 Documentation/driver-api/usb/error-codes.rst |    3 +++
 drivers/usb/core/urb.c                       |    6 ++++++
 2 files changed, 9 insertions(+)

Index: usb-devel/drivers/usb/core/urb.c
--- usb-devel.orig/drivers/usb/core/urb.c
+++ usb-devel/drivers/usb/core/urb.c
@@ -410,6 +410,12 @@ int usb_submit_urb(struct urb *urb, gfp_
 		dev_WARN_ONCE(&dev->dev, (usb_pipeout(urb->pipe) != is_out),
 				"BOGUS control dir, pipe %x doesn't match bRequestType %x\n",
 				urb->pipe, setup->bRequestType);
+		if (le16_to_cpu(setup->wLength) != urb->transfer_buffer_length) {
+			dev_dbg(&dev->dev, "BOGUS control len %d doesn't match transfer length %d\n",
+					le16_to_cpu(setup->wLength),
+					urb->transfer_buffer_length);
+			return -EBADR;
+		}
 	} else {
 		is_out = usb_endpoint_dir_out(&ep->desc);
Index: usb-devel/Documentation/driver-api/usb/error-codes.rst
--- usb-devel.orig/Documentation/driver-api/usb/error-codes.rst
+++ usb-devel/Documentation/driver-api/usb/error-codes.rst
@@ -61,6 +61,9 @@ USB-specific:
 			(c) requested data transfer length is invalid: negative
 			    or too large for the host controller.
+``-EBADR``		The wLength value in a control URB's setup packet does
+			not match the URB's transfer_buffer_length.
 ``-ENOSPC``		This request would overcommit the usb bandwidth reserved
 			for periodic transfers (interrupt, isochronous).

             reply	other threads:[~2021-05-26 15:32 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-26 15:32 Alan Stern [this message]
2021-05-27  8:23 ` [PATCH] USB: core: Check buffer length matches wLength for control transfers Johan Hovold
2021-05-27 11:46 ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.