On Fri, Mar 18, 2016 at 07:35:00PM +0100, Vladis Dronov wrote: > The gtco driver expects at least one valid endpoint. If given > malicious descriptors that specify 0 for the number of endpoints, > it will crash in the probe function. Ensure there is at least > one endpoint on the interface before using it. Fix minor coding > style issue. > > The full report of this issue can be found here: > http://seclists.org/bugtraq/2016/Mar/86 > > Reported-by: Ralf Spenneberg <ralf@xxxxxxxxxxxxxx> > Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx> Applied, thank you. > --- > drivers/input/tablet/gtco.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c > index 3a7f3a4..7c18249 100644 > --- a/drivers/input/tablet/gtco.c > +++ b/drivers/input/tablet/gtco.c > @@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, > goto err_free_buf; > } > > + /* Sanity check that a device has an endpoint */ > + if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { > + dev_err(&usbinterface->dev, > + "Invalid number of endpoints\n"); > + error = -EINVAL; > + goto err_free_urb; > + } > + > /* > * The endpoint is always altsetting 0, we know this since we know > * this device only has one interrupt endpoint > @@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, > * HID report descriptor > */ > if (usb_get_extra_descriptor(usbinterface->cur_altsetting, > - HID_DEVICE_TYPE, &hid_desc) != 0){ > + HID_DEVICE_TYPE, &hid_desc) != 0) { > dev_err(&usbinterface->dev, > "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); > error = -EIO; > -- > 2.5.0 -- Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
