| From: Johan Hovold <johan@kernel.org> |
| Date: Thu, 9 Feb 2017 12:11:41 +0100 |
| Subject: USB: serial: mos7840: fix another NULL-deref at open |
| |
| commit 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e upstream. |
| |
| Fix another NULL-pointer dereference at open should a malicious device |
| lack an interrupt-in endpoint. |
| |
| Note that the driver has a broken check for an interrupt-in endpoint |
| which means that an interrupt URB has never even been submitted. |
| |
| Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") |
| Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/usb/serial/mos7840.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/usb/serial/mos7840.c |
| +++ b/drivers/usb/serial/mos7840.c |
| @@ -1058,6 +1058,7 @@ static int mos7840_open(struct tty_struc |
| * (can't set it up in mos7840_startup as the structures * |
| * were not set up at that time.) */ |
| if (port0->open_ports == 1) { |
| + /* FIXME: Buffer never NULL, so URB is not submitted. */ |
| if (serial->port[0]->interrupt_in_buffer == NULL) { |
| /* set up interrupt urb */ |
| usb_fill_int_urb(serial->port[0]->interrupt_in_urb, |
| @@ -2385,7 +2386,8 @@ static int mos7840_startup(struct usb_se |
| } |
| |
| if (serial->num_bulk_in < serial->num_ports || |
| - serial->num_bulk_out < serial->num_ports) { |
| + serial->num_bulk_out < serial->num_ports || |
| + serial->num_interrupt_in < 1) { |
| dev_err(&serial->interface->dev, "missing endpoints\n"); |
| return -ENODEV; |
| } |
