projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d582351)
[media] usbvision: fix NULL-deref at probe
authorJohan Hovold <johan@kernel.org>
Mon, 13 Mar 2017 12:53:55 +0000 (09:53 -0300)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Mon, 10 Apr 2017 10:30:58 +0000 (07:30 -0300)
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")

Cc: stable <stable@vger.kernel.org> # 2.6.21
Cc: Thierry MERLE <thierry.merle@free.fr>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/usb/usbvision/usbvision-video.c patch | blob | blame | history

diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index f5c635a67d74427707e0f44703d6a75f85de9519..f9c3325aa4d4194d23353a45823c1570a98dc66e 100644 (file)
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1501,7 +1501,14 @@ static int usbvision_probe(struct usb_interface *intf,
        }
 
        for (i = 0; i < usbvision->num_alt; i++) {
-               u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+               u16 tmp;
+
+               if (uif->altsetting[i].desc.bNumEndpoints < 2) {
+                       ret = -ENODEV;
+                       goto err_pkt;
+               }
+
+               tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
                                      wMaxPacketSize);
                usbvision->alt_max_pkt_size[i] =
                        (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);