ath9k_htc: fix NULL-deref at probe

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Cc: stable <stable@vger.kernel.org>     # 2.6.39+
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 05dd056cab6eaf0b502943ffdeb6f3fa50c87839..12aa8abbcba40ce2afd27535d82a378487151070 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1220,6 +1220,9 @@ static int send_eject_command(struct usb_interface *interface)
        u8 bulk_out_ep;
        int r;
 
+       if (iface_desc->desc.bNumEndpoints < 2)
+               return -ENODEV;
+
        /* Find bulk out endpoint */
        for (r = 1; r >= 0; r--) {
                endpoint = &iface_desc->endpoint[r].desc;