Skip to content
Permalink
Browse files Browse the repository at this point in the history
USB: digi_acceleport: do sanity checking for the number of ports
The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.

See: http://seclists.org/bugtraq/2016/Mar/61

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
oneukum authored and gregkh committed Mar 31, 2016
1 parent c55aee1 commit 5a07975
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions drivers/usb/serial/digi_acceleport.c
Expand Up @@ -1251,8 +1251,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)

static int digi_startup(struct usb_serial *serial)
{
struct device *dev = &serial->interface->dev;
struct digi_serial *serial_priv;
int ret;
int i;

/* check whether the device has the expected number of endpoints */
if (serial->num_port_pointers < serial->type->num_ports + 1) {
dev_err(dev, "OOB endpoints missing\n");
return -ENODEV;
}

for (i = 0; i < serial->type->num_ports + 1 ; i++) {
if (!serial->port[i]->read_urb) {
dev_err(dev, "bulk-in endpoint missing\n");
return -ENODEV;
}
if (!serial->port[i]->write_urb) {
dev_err(dev, "bulk-out endpoint missing\n");
return -ENODEV;
}
}

serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
Expand Down

0 comments on commit 5a07975

Please sign in to comment.