| From foo@baz Mon Dec 18 15:03:25 CET 2017 |
| From: Johan Hovold <johan@kernel.org> |
| Date: Mon, 13 Mar 2017 13:42:03 +0100 |
| Subject: net: wimax/i2400m: fix NULL-deref at probe |
| |
| From: Johan Hovold <johan@kernel.org> |
| |
| |
| [ Upstream commit 6e526fdff7be4f13b24f929a04c0e9ae6761291e ] |
| |
| Make sure to check the number of endpoints to avoid dereferencing a |
| NULL-pointer or accessing memory beyond the endpoint array should a |
| malicious device lack the expected endpoints. |
| |
| The endpoints are specifically dereferenced in the i2400m_bootrom_init |
| path during probe (e.g. in i2400mu_tx_bulk_out). |
| |
| Fixes: f398e4240fce ("i2400m/USB: probe/disconnect, dev init/shutdown |
| and reset backends") |
| Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com> |
| |
| Signed-off-by: Johan Hovold <johan@kernel.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <alexander.levin@verizon.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/wimax/i2400m/usb.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/drivers/net/wimax/i2400m/usb.c |
| +++ b/drivers/net/wimax/i2400m/usb.c |
| @@ -467,6 +467,9 @@ int i2400mu_probe(struct usb_interface * |
| struct i2400mu *i2400mu; |
| struct usb_device *usb_dev = interface_to_usbdev(iface); |
| |
| + if (iface->cur_altsetting->desc.bNumEndpoints < 4) |
| + return -ENODEV; |
| + |
| if (usb_dev->speed != USB_SPEED_HIGH) |
| dev_err(dev, "device not connected as high speed\n"); |
| |
