mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 05:35:54 +00:00
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 4ec0ef3a82125efc36173062a50624550a900ae0 Mon Sep 17 00:00:00 2001
|
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Date: Mon, 14 Mar 2016 10:42:38 -0400
|
|
Subject: USB: iowarrior: fix oops with malicious USB descriptors
|
|
|
|
The iowarrior driver expects at least one valid endpoint. If given
|
|
malicious descriptors that specify 0 for the number of endpoints,
|
|
it will crash in the probe function. Ensure there is at least
|
|
one endpoint on the interface before using it.
|
|
|
|
The full report of this issue can be found here:
|
|
http://seclists.org/bugtraq/2016/Mar/87
|
|
|
|
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
|
Cc: stable <stable@vger.kernel.org>
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
---
|
|
drivers/usb/misc/iowarrior.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
|
|
index c6bfd13..1950e87 100644
|
|
--- a/drivers/usb/misc/iowarrior.c
|
|
+++ b/drivers/usb/misc/iowarrior.c
|
|
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
|
|
iface_desc = interface->cur_altsetting;
|
|
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
|
|
|
|
+ if (iface_desc->desc.bNumEndpoints < 1) {
|
|
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
|
|
+ retval = -EINVAL;
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
/* set up the endpoint information */
|
|
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
|
|
endpoint = &iface_desc->endpoint[i].desc;
|
|
--
|
|
cgit v1.1
|
|
|