CVE-2026-31607

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usbip: validate number_of_packets in usbip_pack_ret_submit()<br /> <br /> When a USB/IP client receives a RET_SUBMIT response,<br /> usbip_pack_ret_submit() unconditionally overwrites<br /> urb-&gt;number_of_packets from the network PDU. This value is<br /> subsequently used as the loop bound in usbip_recv_iso() and<br /> usbip_pad_iso() to iterate over urb-&gt;iso_frame_desc[], a flexible<br /> array whose size was fixed at URB allocation time based on the<br /> *original* number_of_packets from the CMD_SUBMIT.<br /> <br /> A malicious USB/IP server can set number_of_packets in the response<br /> to a value larger than what was originally submitted, causing a heap<br /> out-of-bounds write when usbip_recv_iso() writes to<br /> urb-&gt;iso_frame_desc[i] beyond the allocated region.<br /> <br /> KASAN confirmed this with kernel 7.0.0-rc5:<br /> <br /> BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640<br /> Write of size 4 at addr ffff888106351d40 by task vhci_rx/69<br /> <br /> The buggy address is located 0 bytes to the right of<br /> allocated 320-byte region [ffff888106351c00, ffff888106351d40)<br /> <br /> The server side (stub_rx.c) and gadget side (vudc_rx.c) already<br /> validate number_of_packets in the CMD_SUBMIT path since commits<br /> c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle<br /> malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden<br /> CMD_SUBMIT path to handle malicious input"). The server side validates<br /> against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.<br /> On the client side we have the original URB, so we can use the tighter<br /> bound: the response must not exceed the original number_of_packets.<br /> <br /> This mirrors the existing validation of actual_length against<br /> transfer_buffer_length in usbip_recv_xbuff(), which checks the<br /> response value against the original allocation size.<br /> <br /> Kelvin Mbogo&amp;#39;s series ("usb: usbip: fix integer overflow in<br /> usbip_recv_iso()", v2) hardens the receive-side functions themselves;<br /> this patch complements that work by catching the bad value at its<br /> source -- in usbip_pack_ret_submit() before the overwrite -- and<br /> using the tighter per-URB allocation bound rather than the global<br /> USBIP_MAX_ISO_PACKETS limit.<br /> <br /> Fix this by checking rpdu-&gt;number_of_packets against<br /> urb-&gt;number_of_packets in usbip_pack_ret_submit() before the<br /> overwrite. On violation, clamp to zero so that usbip_recv_iso() and<br /> usbip_pad_iso() safely return early.