]>
Commit | Line | Data |
---|---|---|
90594201 GKH |
1 | From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001 |
2 | From: Johan Hovold <johan@kernel.org> | |
3 | Date: Mon, 13 Mar 2017 13:47:50 +0100 | |
4 | Subject: USB: uss720: fix NULL-deref at probe | |
5 | ||
6 | From: Johan Hovold <johan@kernel.org> | |
7 | ||
8 | commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream. | |
9 | ||
10 | Make sure to check the number of endpoints to avoid dereferencing a | |
11 | NULL-pointer or accessing memory beyond the endpoint array should a | |
12 | malicious device lack the expected endpoints. | |
13 | ||
14 | Note that the endpoint access that causes the NULL-deref is currently | |
15 | only used for debugging purposes during probe so the oops only happens | |
16 | when dynamic debugging is enabled. This means the driver could be | |
17 | rewritten to continue to accept device with only two endpoints, should | |
18 | such devices exist. | |
19 | ||
20 | Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") | |
21 | Signed-off-by: Johan Hovold <johan@kernel.org> | |
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
23 | ||
24 | --- | |
25 | drivers/usb/misc/uss720.c | 5 +++++ | |
26 | 1 file changed, 5 insertions(+) | |
27 | ||
28 | --- a/drivers/usb/misc/uss720.c | |
29 | +++ b/drivers/usb/misc/uss720.c | |
30 | @@ -708,6 +708,11 @@ static int uss720_probe(struct usb_inter | |
31 | ||
32 | interface = intf->cur_altsetting; | |
33 | ||
34 | + if (interface->desc.bNumEndpoints < 3) { | |
35 | + usb_put_dev(usbdev); | |
36 | + return -ENODEV; | |
37 | + } | |
38 | + | |
39 | /* | |
40 | * Allocate parport interface | |
41 | */ |