Skip to content

Commit a246b4d

Browse files
jhovoldmchehab
authored andcommitted
media: xirlink_cit: add missing descriptor sanity checks
Make sure to check that we have two alternate settings and at least one endpoint before accessing the second altsetting structure and dereferencing the endpoint arrays. This specifically avoids dereferencing NULL-pointers or corrupting memory when a device does not have the expected descriptors. Note that the sanity check in cit_get_packet_size() is not redundant as the driver is mixing looking up altsettings by index and by number, which may not coincide. Fixes: 659fefa ("V4L/DVB: gspca_xirlink_cit: Add support for camera with a bcd version of 0.01") Fixes: 59f8b0b ("V4L/DVB: gspca_xirlink_cit: support bandwidth changing for devices with 1 alt setting") Cc: stable <stable@vger.kernel.org> # 2.6.37 Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
1 parent 485b06a commit a246b4d

File tree

1 file changed

+17
-1
lines changed

1 file changed

+17
-1
lines changed

Diff for: drivers/media/usb/gspca/xirlink_cit.c

+17-1
Original file line numberDiff line numberDiff line change
@@ -1442,6 +1442,9 @@ static int cit_get_packet_size(struct gspca_dev *gspca_dev)
14421442
return -EIO;
14431443
}
14441444

1445+
if (alt->desc.bNumEndpoints < 1)
1446+
return -ENODEV;
1447+
14451448
return le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
14461449
}
14471450

@@ -2626,6 +2629,7 @@ static int sd_start(struct gspca_dev *gspca_dev)
26262629

26272630
static int sd_isoc_init(struct gspca_dev *gspca_dev)
26282631
{
2632+
struct usb_interface_cache *intfc;
26292633
struct usb_host_interface *alt;
26302634
int max_packet_size;
26312635

@@ -2641,8 +2645,17 @@ static int sd_isoc_init(struct gspca_dev *gspca_dev)
26412645
break;
26422646
}
26432647

2648+
intfc = gspca_dev->dev->actconfig->intf_cache[0];
2649+
2650+
if (intfc->num_altsetting < 2)
2651+
return -ENODEV;
2652+
2653+
alt = &intfc->altsetting[1];
2654+
2655+
if (alt->desc.bNumEndpoints < 1)
2656+
return -ENODEV;
2657+
26442658
/* Start isoc bandwidth "negotiation" at max isoc bandwidth */
2645-
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
26462659
alt->endpoint[0].desc.wMaxPacketSize = cpu_to_le16(max_packet_size);
26472660

26482661
return 0;
@@ -2665,6 +2678,9 @@ static int sd_isoc_nego(struct gspca_dev *gspca_dev)
26652678
break;
26662679
}
26672680

2681+
/*
2682+
* Existence of altsetting and endpoint was verified in sd_isoc_init()
2683+
*/
26682684
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
26692685
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
26702686
if (packet_size <= min_packet_size)

0 commit comments

Comments
 (0)