mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-01 19:06:25 -05:00
58 lines
1.8 KiB
Plaintext
58 lines
1.8 KiB
Plaintext
From 129e6372f40a423bcded0a6dae547205edf652fb Mon Sep 17 00:00:00 2001
|
|
From: Oliver Neukum <oneukum@suse.com>
|
|
Date: Thu, 31 Mar 2016 12:04:26 -0400
|
|
Subject: USB: digi_acceleport: do sanity checking for the number of ports
|
|
|
|
commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.
|
|
|
|
The driver can be crashed with devices that expose crafted descriptors
|
|
with too few endpoints.
|
|
|
|
See: http://seclists.org/bugtraq/2016/Mar/61
|
|
|
|
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
|
|
[johan: fix OOB endpoint check and add error messages ]
|
|
Cc: stable <stable@vger.kernel.org>
|
|
Signed-off-by: Johan Hovold <johan@kernel.org>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
---
|
|
drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
|
|
1 file changed, 19 insertions(+)
|
|
|
|
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
|
|
index 7b807d3..8c34d9c 100644
|
|
--- a/drivers/usb/serial/digi_acceleport.c
|
|
+++ b/drivers/usb/serial/digi_acceleport.c
|
|
@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
|
|
|
|
static int digi_startup(struct usb_serial *serial)
|
|
{
|
|
+ struct device *dev = &serial->interface->dev;
|
|
struct digi_serial *serial_priv;
|
|
int ret;
|
|
+ int i;
|
|
+
|
|
+ /* check whether the device has the expected number of endpoints */
|
|
+ if (serial->num_port_pointers < serial->type->num_ports + 1) {
|
|
+ dev_err(dev, "OOB endpoints missing\n");
|
|
+ return -ENODEV;
|
|
+ }
|
|
+
|
|
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
|
|
+ if (!serial->port[i]->read_urb) {
|
|
+ dev_err(dev, "bulk-in endpoint missing\n");
|
|
+ return -ENODEV;
|
|
+ }
|
|
+ if (!serial->port[i]->write_urb) {
|
|
+ dev_err(dev, "bulk-out endpoint missing\n");
|
|
+ return -ENODEV;
|
|
+ }
|
|
+ }
|
|
|
|
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
|
|
if (!serial_priv)
|
|
--
|
|
cgit v1.1
|
|
|