usb: gadget: dfu: Fix the unchecked length field

DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction. Fixing the length and transfer direction. CVE-2022-2347 Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com> Reviewed-by: Marek Vasut <marex@denx.de>

Author: Venkatesh Yadav Abbarapu

drivers/usb/gadget/f_dfu.c

@@ -324,7 +324,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
 
 switch (ctrl->bRequest) {
 case USB_REQ_DFU_DNLOAD:
-if (!(ctrl->bRequestType & USB_DIR_IN)) {
+if (ctrl->bRequestType == USB_DIR_OUT) {
 if (len == 0) {
 f_dfu->dfu_state = DFU_STATE_dfuERROR;
 value = RET_STALL;
@@ -336,7 +336,7 @@ static int state_dfu_idle(struct f_dfu *f_dfu,
 }
 break;
 case USB_REQ_DFU_UPLOAD:
-if (ctrl->bRequestType & USB_DIR_IN) {
+if (ctrl->bRequestType == USB_DIR_IN) {
 f_dfu->dfu_state = DFU_STATE_dfuUPLOAD_IDLE;
 f_dfu->blk_seq_num = 0;
 value = handle_upload(req, len);
@@ -435,7 +435,7 @@ static int state_dfu_dnload_idle(struct f_dfu *f_dfu,
 
 switch (ctrl->bRequest) {
 case USB_REQ_DFU_DNLOAD:
-if (!(ctrl->bRequestType & USB_DIR_IN)) {
+if (ctrl->bRequestType == USB_DIR_OUT) {
 f_dfu->dfu_state = DFU_STATE_dfuDNLOAD_SYNC;
 f_dfu->blk_seq_num = w_value;
 value = handle_dnload(gadget, len);
@@ -526,7 +526,7 @@ static int state_dfu_upload_idle(struct f_dfu *f_dfu,
 
 switch (ctrl->bRequest) {
 case USB_REQ_DFU_UPLOAD:
-if (ctrl->bRequestType & USB_DIR_IN) {
+if (ctrl->bRequestType == USB_DIR_IN) {
 /* state transition if less data then requested */
 f_dfu->blk_seq_num = w_value;
 value = handle_upload(req, len);