On Wed, Mar 16, 2016 at 02:43:02PM +0100, Oliver Neukum wrote: > The driver can be crashed with devices that expose crafted > descriptors with too few endpoints. > See: > http://seclists.org/bugtraq/2016/Mar/61 > > Signed-off-by: Oliver Neukum <ONeukum@xxxxxxxx> > --- > drivers/usb/serial/digi_acceleport.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c > index 12b0e67..c4d4d45 100644 > --- a/drivers/usb/serial/digi_acceleport.c > +++ b/drivers/usb/serial/digi_acceleport.c > @@ -1260,6 +1260,11 @@ static int digi_startup(struct usb_serial *serial) > > spin_lock_init(&serial_priv->ds_serial_lock); > serial_priv->ds_oob_port_num = serial->type->num_ports; > + if (!(serial_priv->ds_oob_port_num == 2 && serial->type == &digi_acceleport_2_device) > + && !(serial_priv->ds_oob_port_num == 4 && serial->type == &digi_acceleport_4_device)) { > + kfree(serial_priv); > + return -EINVAL; > + } This is not correct and will in fact always fail for two-port devices, and always succeed for 4-port devices (ds_oob_port_num is simply assigned the value from the device-type structure which is 3 or 4). What you need to do is to make sure that the expected end-points are indeed present. Again, this should ideally be done during interface probe, but you can just verify that the required structures are non-NULL here for now if you prefer. Note that this needs to be done for not just the port structure (ds_oob_port) by making sure that the serial->num_ports is large enough, but also that the oob-port has indeed got a write urb allocated (i.e. that all expected bulk-out endpoints are available). > serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num]; > > ret = digi_port_init(serial_priv->ds_oob_port, Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
