Fix a potential panic during free(9) which can be caused by an USB

device which returns a spurious value for wTotalLength on a configuration
descriptor request.  Therefore don't relay on wTotalLength for free(9)
but on the length variable which was used for the malloc(9) before.

The issue was reported by
Mikolaj Kucharski <mikolaj (at) kucharski (dot) name> on bugs@.

Discussed and ok deraadt@

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/dev/usb/usb.c b/sys/dev/usb/usb.c
index e2c8f1b97b2..4ca725aad6d 100644
--- a/sys/dev/usb/usb.c
+++ b/sys/dev/usb/usb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: usb.c,v 1.124 2019/10/06 17:11:51 mpi Exp $	*/
+/*	$OpenBSD: usb.c,v 1.125 2020/08/27 19:55:00 mglocker Exp $	*/
 /*	$NetBSD: usb.c,v 1.77 2003/01/01 00:10:26 thorpej Exp $	*/
 
 /*
@@ -740,7 +740,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t data, int flag, struct proc *p)
 		usb_config_descriptor_t *cdesc;
 		struct iovec iov;
 		struct uio uio;
-		size_t len;
+		size_t len, cdesc_len;
 
 		if (addr < 1 || addr >= USB_MAX_DEVICES)
 			return (EINVAL);
@@ -755,7 +755,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t data, int flag, struct proc *p)
 		    USB_TASK_TYPE_GENERIC);
 		usb_add_task(sc->sc_bus->root_hub, &udf_task);
 		usb_wait_task(sc->sc_bus->root_hub, &udf_task);
-		len = udf->udf_size;
+		len = cdesc_len = udf->udf_size;
 		cdesc = (usb_config_descriptor_t *)udf->udf_data;
 		*udf = save_udf;
 		if (cdesc == NULL)
@@ -772,7 +772,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t data, int flag, struct proc *p)
 		uio.uio_rw = UIO_READ;
 		uio.uio_procp = p;
 		error = uiomove((void *)cdesc, len, &uio);
-		free(cdesc, M_TEMP, UGETW(cdesc->wTotalLength));
+		free(cdesc, M_TEMP, cdesc_len);
 		return (error);
 	}