On Mon, Mar 21, 2016 at 03:57:37PM +0100, Oliver Neukum wrote: > The driver can be crashed with devices that expose crafted > descriptors with too few endpoints. > See: > http://seclists.org/bugtraq/2016/Mar/61 > > Signed-off-by: Oliver Neukum <ONeukum@xxxxxxxx> > > v1 - added sanity checks > v2 - moved them to probe() to fix problems Johan pointed out > --- > drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++----- > 1 file changed, 19 insertions(+), 5 deletions(-) > > diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c > index 12b0e67..dab1dcf 100644 > --- a/drivers/usb/serial/digi_acceleport.c > +++ b/drivers/usb/serial/digi_acceleport.c > @@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num) > static int digi_startup(struct usb_serial *serial) > { > struct digi_serial *serial_priv; > - int ret; > + int ret = -ENODEV; > + int i; > > serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); > if (!serial_priv) > @@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial) > > spin_lock_init(&serial_priv->ds_serial_lock); > serial_priv->ds_oob_port_num = serial->type->num_ports; > + > + /* Check whether the expected number of ports matches the device */ > + if (serial->num_ports < serial_priv->ds_oob_port_num) > + goto error; This should be if (serial->num_port_pointers < serial->type->num_ports + 1) as serial->num_ports will (generally) equal serial->type->num_ports, and we need to check that we got one more port structure than we requested. I fixed that up and moved the check above the private-data allocation. Thanks, Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
