net: usb: pegasus: validate USB endpoints

The pegasus driver should validate that the device it is probing has the
proper number and types of USB endpoints it is expecting before it binds
to it.  If a malicious device were to not have the same urbs the driver
will crash later on when it blindly accesses these endpoints.

Cc: Petko Manolov <petkan@nucleusys.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026022347-legibly-attest-cc5c@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index b84968c5f074c8df6527c076b4f4137ea82ed658..c497202b78e8225c96b6f3d4926488850a43acc0 100644 (file)
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -812,8 +812,19 @@ static void unlink_all_urbs(pegasus_t *pegasus)
 
 static int alloc_urbs(pegasus_t *pegasus)
 {
+       static const u8 bulk_ep_addr[] = {
+               1 | USB_DIR_IN,
+               2 | USB_DIR_OUT,
+               0};
+       static const u8 int_ep_addr[] = {
+               3 | USB_DIR_IN,
+               0};
        int res = -ENOMEM;
 
+       if (!usb_check_bulk_endpoints(pegasus->intf, bulk_ep_addr) ||
+           !usb_check_int_endpoints(pegasus->intf, int_ep_addr))
+               return -ENODEV;
+
        pegasus->rx_urb = usb_alloc_urb(0, GFP_KERNEL);
        if (!pegasus->rx_urb) {
                return res;
@@ -1168,6 +1179,7 @@ static int pegasus_probe(struct usb_interface *intf,
 
        pegasus = netdev_priv(net);
        pegasus->dev_index = dev_index;
+       pegasus->intf = intf;
 
        res = alloc_urbs(pegasus);
        if (res < 0) {
@@ -1179,7 +1191,6 @@ static int pegasus_probe(struct usb_interface *intf,
 
        INIT_DELAYED_WORK(&pegasus->carrier_check, check_carrier);
 
-       pegasus->intf = intf;
        pegasus->usb = dev;
        pegasus->net = net;