| From a7f05811b9bfb323caab862523253dfae5006a6c Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 30 Jul 2019 05:50:44 -0300 |
| Subject: media: iguanair: add sanity checks |
| |
| From: Oliver Neukum <oneukum@suse.com> |
| |
| [ Upstream commit ab1cbdf159beba7395a13ab70bc71180929ca064 ] |
| |
| The driver needs to check the endpoint types, too, as opposed |
| to the number of endpoints. This also requires moving the check earlier. |
| |
| Reported-by: syzbot+01a77b82edaa374068e1@syzkaller.appspotmail.com |
| Signed-off-by: Oliver Neukum <oneukum@suse.com> |
| Signed-off-by: Sean Young <sean@mess.org> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/media/rc/iguanair.c | 15 +++++++-------- |
| 1 file changed, 7 insertions(+), 8 deletions(-) |
| |
| diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c |
| index 5f634545ddd81..25470395c43f1 100644 |
| --- a/drivers/media/rc/iguanair.c |
| +++ b/drivers/media/rc/iguanair.c |
| @@ -430,6 +430,10 @@ static int iguanair_probe(struct usb_interface *intf, |
| int ret, pipein, pipeout; |
| struct usb_host_interface *idesc; |
| |
| + idesc = intf->altsetting; |
| + if (idesc->desc.bNumEndpoints < 2) |
| + return -ENODEV; |
| + |
| ir = kzalloc(sizeof(*ir), GFP_KERNEL); |
| rc = rc_allocate_device(); |
| if (!ir || !rc) { |
| @@ -444,18 +448,13 @@ static int iguanair_probe(struct usb_interface *intf, |
| ir->urb_in = usb_alloc_urb(0, GFP_KERNEL); |
| ir->urb_out = usb_alloc_urb(0, GFP_KERNEL); |
| |
| - if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out) { |
| + if (!ir->buf_in || !ir->packet || !ir->urb_in || !ir->urb_out || |
| + !usb_endpoint_is_int_in(&idesc->endpoint[0].desc) || |
| + !usb_endpoint_is_int_out(&idesc->endpoint[1].desc)) { |
| ret = -ENOMEM; |
| goto out; |
| } |
| |
| - idesc = intf->altsetting; |
| - |
| - if (idesc->desc.bNumEndpoints < 2) { |
| - ret = -ENODEV; |
| - goto out; |
| - } |
| - |
| ir->rc = rc; |
| ir->dev = &intf->dev; |
| ir->udev = udev; |
| -- |
| 2.20.1 |
| |