The visor driver crashes in clie_5_attach() when a specially crafted USB device without bulk-out endpoint is detected. This fix adds a check that the device has proper configuration expected by the driver. Also error message output is added to the one of the error paths. Reported-by: Ralf Spenneberg <ralf@xxxxxxxxxxxxxx> Signed-off-by: Vladis Dronov <vdronov@xxxxxxxxxx> --- Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1296466 drivers/usb/serial/visor.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c index 60afb39..9913039 100644 --- a/drivers/usb/serial/visor.c +++ b/drivers/usb/serial/visor.c @@ -584,6 +584,7 @@ static int treo_attach(struct usb_serial *serial) static int clie_5_attach(struct usb_serial *serial) { + struct device *dev = &serial->dev->dev; struct usb_serial_port *port; unsigned int pipe; int j; @@ -597,8 +598,11 @@ static int clie_5_attach(struct usb_serial *serial) */ /* some sanity check */ - if (serial->num_ports < 2) + if (serial->num_ports < 2) { + dev_err(dev, "%s: number of ports %d is less than 2\n", + __func__, serial->num_ports); return -1; + } /* port 0 now uses the modified endpoint Address */ port = serial->port[0]; @@ -607,7 +611,13 @@ static int clie_5_attach(struct usb_serial *serial) pipe = usb_sndbulkpipe(serial->dev, port->bulk_out_endpointAddress); for (j = 0; j < ARRAY_SIZE(port->write_urbs); ++j) - port->write_urbs[j]->pipe = pipe; + if (port->write_urbs[j]) + port->write_urbs[j]->pipe = pipe; + else { + dev_err(dev, "%s: Write URB %d for port 0 was not allocated\n", + __func__, j); + return -1; + } return 0; } -- 2.4.3 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
