ChromiumOS USB Hardening

0001-secure-usb.patch

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 6a287c81a7be..331aacaa1dba 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -27,8 +27,16 @@ static int find_next_descriptor(unsigned char *buffer, int size,
 	unsigned char *buffer0 = buffer;
 
 	/* Find the next descriptor of type dt1 or dt2 */
-	while (size > 0) {
+	while (size >= sizeof(struct usb_descriptor_header)) {
 		h = (struct usb_descriptor_header *) buffer;
+		if (size < h->bLength) {
+			buffer += size;
+			size = 0;
+			++n;
+			break;
+		}
+
+
 		if (h->bDescriptorType == dt1 || h->bDescriptorType == dt2)
 			break;
 		buffer += h->bLength;
@@ -412,7 +420,16 @@ static int usb_parse_interface(struct device *ddev, int cfgno,
 	int len, retval;
 	int num_ep, num_ep_orig;
 
+	if (size < sizeof(struct usb_interface_descriptor))
+		return -EINVAL;
+
 	d = (struct usb_interface_descriptor *) buffer;
+
+	if (size < d->bLength) {
+		buffer += size;
+		return -EINVAL;
+	}
+
 	buffer += d->bLength;
 	size -= d->bLength;
 
@@ -480,6 +497,11 @@ static int usb_parse_interface(struct device *ddev, int cfgno,
 	/* Parse all the endpoint descriptors */
 	n = 0;
 	while (size > 0) {
+		if (size < sizeof(struct usb_descriptor_header)) {
+			buffer += size;
+			break;
+		}
+
 		if (((struct usb_descriptor_header *) buffer)->bDescriptorType
 		     == USB_DT_INTERFACE)
 			break;