Skip to content

Commit 485b06a

Browse files
jhovoldmchehab
authored andcommitted
media: stv06xx: add missing descriptor sanity checks
Make sure to check that we have two alternate settings and at least one endpoint before accessing the second altsetting structure and dereferencing the endpoint arrays. This specifically avoids dereferencing NULL-pointers or corrupting memory when a device does not have the expected descriptors. Note that the sanity checks in stv06xx_start() and pb0100_start() are not redundant as the driver is mixing looking up altsettings by index and by number, which may not coincide. Fixes: 8668d50 ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor") Fixes: c0b33bd ("[media] gspca-stv06xx: support bandwidth changing") Cc: stable <stable@vger.kernel.org> # 2.6.31 Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
1 parent 9989123 commit 485b06a

File tree

2 files changed

+22
-1
lines changed

2 files changed

+22
-1
lines changed

Diff for: drivers/media/usb/gspca/stv06xx/stv06xx.c

+18-1
Original file line numberDiff line numberDiff line change
@@ -282,6 +282,9 @@ static int stv06xx_start(struct gspca_dev *gspca_dev)
282282
return -EIO;
283283
}
284284

285+
if (alt->desc.bNumEndpoints < 1)
286+
return -ENODEV;
287+
285288
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
286289
err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
287290
if (err < 0)
@@ -306,11 +309,21 @@ static int stv06xx_start(struct gspca_dev *gspca_dev)
306309

307310
static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
308311
{
312+
struct usb_interface_cache *intfc;
309313
struct usb_host_interface *alt;
310314
struct sd *sd = (struct sd *) gspca_dev;
311315

316+
intfc = gspca_dev->dev->actconfig->intf_cache[0];
317+
318+
if (intfc->num_altsetting < 2)
319+
return -ENODEV;
320+
321+
alt = &intfc->altsetting[1];
322+
323+
if (alt->desc.bNumEndpoints < 1)
324+
return -ENODEV;
325+
312326
/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
313-
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
314327
alt->endpoint[0].desc.wMaxPacketSize =
315328
cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
316329

@@ -323,6 +336,10 @@ static int stv06xx_isoc_nego(struct gspca_dev *gspca_dev)
323336
struct usb_host_interface *alt;
324337
struct sd *sd = (struct sd *) gspca_dev;
325338

339+
/*
340+
* Existence of altsetting and endpoint was verified in
341+
* stv06xx_isoc_init()
342+
*/
326343
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
327344
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
328345
min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];

Diff for: drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c

+4
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,10 @@ static int pb0100_start(struct sd *sd)
185185
alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
186186
if (!alt)
187187
return -ENODEV;
188+
189+
if (alt->desc.bNumEndpoints < 1)
190+
return -ENODEV;
191+
188192
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
189193

190194
/* If we don't have enough bandwidth use a lower framerate */

0 commit comments

Comments
 (0)