CVE-2026-31607

Summary

In the Linux kernel, the following vulnerability has been resolved:

usbip: validate number_of_packets in usbip_pack_ret_submit()

When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the original number_of_packets from the CMD_SUBMIT.

A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source – in usbip_pack_ret_submit() before the overwrite – and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.

Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 324262c38438255bf6bdbf6342ca47c0badaab76affected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 973f2c250289f5bf6cc146b98aa6fdde11fe50d6affected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < ce744264b06b97069b3722511ab355738311fee0affected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 885c8591784da6314f9aa82fa460ac69f9f79e5faffected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 8d155e2d1c4102f74f82a2bf9c016164bb0f7384affected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 906f16a836de13fe61f49cdce2f66f2dbd14caf4affected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < ef8ebb1c637b4cfb61a9dd2e013376774ee2033baffected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 5e1c4ece08ccdc197177631f111845a2c68eede3affected
LinuxLinux1325f85fa49f57df034869de430f7c302ae23109 < 2ab833a16a825373aad2ba7d54b572b277e95b71affected
LinuxLinuxd9638d9236eed035a575feddec61d036dacc2676affected
LinuxLinuxca7d3501b7a287c18b5b470e871d3029b0f4842aaffected
LinuxLinux1ce528277e1a66856ed3f7526c1e3458c0ed4a70affected
LinuxLinuxdb898d0c5c493ce4177d5e1d3a953e079a56a24baffected
LinuxLinux5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9aaffected
LinuxLinux2.6.32.37 < 2.6.33affected
LinuxLinux2.6.33.10 < 2.6.34affected
LinuxLinux2.6.34.11 < 2.6.35affected
LinuxLinux2.6.35.13 < 2.6.36affected
LinuxLinux2.6.38.3 < 2.6.39affected
LinuxLinux2.6.39affected
LinuxLinux0 < 2.6.39unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: usbip: validate number_of_packets in usbip_pack_ret_submit()

Additional References

References