| From f0688c8b81d2ea239c3fb0b848f623b579238d99 Mon Sep 17 00:00:00 2001 |
| From: Michal Nazarewicz <mina86@mina86.com> |
| Date: Tue, 17 Jun 2014 17:47:41 +0200 |
| Subject: usb: gadget: f_fs: fix NULL pointer dereference when there are no strings |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: Michal Nazarewicz <mina86@mina86.com> |
| |
| commit f0688c8b81d2ea239c3fb0b848f623b579238d99 upstream. |
| |
| If the descriptors do not need any strings and user space sends empty |
| set of strings, the ffs->stringtabs field remains NULL. Thus |
| *ffs->stringtabs in functionfs_bind leads to a NULL pointer |
| dereferenece. |
| |
| The bug was introduced by commit [fd7c9a007f: “use usb_string_ids_n()”]. |
| |
| While at it, remove double initialisation of lang local variable in |
| that function. |
| |
| ffs->strings_count does not need to be checked in any way since in |
| the above scenario it will remain zero and usb_string_ids_n() is |
| a no-operation when colled with 0 argument. |
| |
| Signed-off-by: Michal Nazarewicz <mina86@mina86.com> |
| Signed-off-by: Felipe Balbi <balbi@ti.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/usb/gadget/f_fs.c | 12 +++++++----- |
| 1 file changed, 7 insertions(+), 5 deletions(-) |
| |
| --- a/drivers/usb/gadget/f_fs.c |
| +++ b/drivers/usb/gadget/f_fs.c |
| @@ -1227,11 +1227,13 @@ static int functionfs_bind(struct ffs_da |
| ffs->ep0req->context = ffs; |
| |
| lang = ffs->stringtabs; |
| - for (lang = ffs->stringtabs; *lang; ++lang) { |
| - struct usb_string *str = (*lang)->strings; |
| - int id = first_id; |
| - for (; str->s; ++id, ++str) |
| - str->id = id; |
| + if (lang) { |
| + for (; *lang; ++lang) { |
| + struct usb_string *str = (*lang)->strings; |
| + int id = first_id; |
| + for (; str->s; ++id, ++str) |
| + str->id = id; |
| + } |
| } |
| |
| ffs->gadget = cdev->gadget; |
