[hardy CVE 1/1] UBUNTU: SAUCE: auerswald: validate the length of USB strings

[Andy Whitcroft]

When attempting to name a device we request various strings from the
device.  A malicious device could return very long strings triggering a
buffer overflow.

CVE-2009-4067
BugLink: http://bugs.launchpad.net/bugs/869195
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 drivers/usb/misc/auerswald.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c
index df7e1ec..5111b80 100644
--- a/drivers/usb/misc/auerswald.c
+++ b/drivers/usb/misc/auerswald.c
@@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf,
 	/* Try to get a suitable textual description of the device */
 	/* Device name:*/
 	ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
-	if (ret >= 0) {
+	/*
+	 * If we were successful, and there is room remaining for a serial
+	 * number then look it up and append it.  Assume the serial number
+	 * is at least 4 digits.
+	 */
+	if (ret >= 0 && ret < AUSI_DLEN-1-6-4) {
 		u += ret;
 		/* Append Serial Number */
 		memcpy(&cp->dev_desc[u], ",Ser# ", 6);
 		u += 6;
 		ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
-		if (ret >= 0) {
+		/*
+		 * If we were successful and there is room remaining for
+		 * the subscriber prefix then look it up and append it.
+		 * Assume the subscriber number is at least 1 digit.
+		 */
+		if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) {
 			u += ret;
 			/* Append subscriber number */
 			memcpy(&cp->dev_desc[u], ", ", 2);
-- 
1.7.4.1