mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-09-18 15:25:58 +00:00
47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From 2fac1c275bbea560d607f2e52d23c4f92dccc12f Mon Sep 17 00:00:00 2001
|
|
From: Badhri Jagan Sridharan <Badhri@google.com>
|
|
Date: Tue, 30 Aug 2016 13:37:07 -0700
|
|
Subject: UPSTREAM: USB: iowarrior: fix oops with malicious USB descriptors
|
|
|
|
commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
|
|
|
|
The iowarrior driver expects at least one valid endpoint. If given
|
|
malicious descriptors that specify 0 for the number of endpoints,
|
|
it will crash in the probe function. Ensure there is at least
|
|
one endpoint on the interface before using it.
|
|
|
|
The full report of this issue can be found here:
|
|
http://seclists.org/bugtraq/2016/Mar/87
|
|
|
|
BUG: 28242610
|
|
|
|
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
|
|
Change-Id: If5161c23928e9ef77cb3359cba9b36622b1908df
|
|
---
|
|
drivers/usb/misc/iowarrior.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
|
|
index d36f34e..4c24ba0 100644
|
|
--- a/drivers/usb/misc/iowarrior.c
|
|
+++ b/drivers/usb/misc/iowarrior.c
|
|
@@ -792,6 +792,12 @@ static int iowarrior_probe(struct usb_interface *interface,
|
|
iface_desc = interface->cur_altsetting;
|
|
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
|
|
|
|
+ if (iface_desc->desc.bNumEndpoints < 1) {
|
|
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
|
|
+ retval = -EINVAL;
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
/* set up the endpoint information */
|
|
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
|
|
endpoint = &iface_desc->endpoint[i].desc;
|
|
--
|
|
cgit v1.1
|
|
|