From 2b1f9e508ead487c5579240594cd1707b6d7a4c7 Mon Sep 17 00:00:00 2001
From: riastradh <riastradh@NetBSD.org>
Date: Sun, 26 Jun 2022 21:35:53 +0000
Subject: [PATCH] umcs(4): Reject invalid interrupt endpoints.

Reported-by: syzbot+cd1e60e112e840e40d0a@syzkaller.appspotmail.com
---
 sys/dev/usb/umcs.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/dev/usb/umcs.c b/sys/dev/usb/umcs.c
index 4f07db04361a0..e5edca86576e7 100644
--- a/sys/dev/usb/umcs.c
+++ b/sys/dev/usb/umcs.c
@@ -1,4 +1,4 @@
-/* $NetBSD: umcs.c,v 1.19 2022/04/19 01:35:28 riastradh Exp $ */
+/* $NetBSD: umcs.c,v 1.20 2022/06/26 21:35:53 riastradh Exp $ */
 /* $FreeBSD: head/sys/dev/usb/serial/umcs.c 260559 2014-01-12 11:44:28Z hselasky $ */
 
 /*-
@@ -41,7 +41,7 @@
  *
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: umcs.c,v 1.19 2022/04/19 01:35:28 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: umcs.c,v 1.20 2022/06/26 21:35:53 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -276,6 +276,12 @@ umcs7840_attach(device_t parent, device_t self, void *aux)
 		sc->sc_dying = true;
 		return;
 	}
+	if (sc->sc_intr_buflen == 0) {
+		aprint_error_dev(self, "invalid interrupt endpoint"
+		    " (addr %d)\n", intr_addr);
+		sc->sc_dying = true;
+		return;
+	}
 	sc->sc_intr_buf = kmem_alloc(sc->sc_intr_buflen, KM_SLEEP);
 
 	error = usbd_open_pipe_intr(sc->sc_iface, intr_addr,