This patch checks the number of endpoints reported by the USB interface descriptor and throws an error if the number exceeds MAX_NUM_ENDPOINTS. Signed-off-by: Christian Gromm <christian.gromm@xxxxxxxxxxxxx> Reported-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- v2: v3: - initialize return variable Reported-by: kbuild test robot <lkp@xxxxxxxxx> drivers/staging/most/usb/usb.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/staging/most/usb/usb.c b/drivers/staging/most/usb/usb.c index dbb6003..36c277f 100644 --- a/drivers/staging/most/usb/usb.c +++ b/drivers/staging/most/usb/usb.c @@ -950,13 +950,17 @@ hdm_probe(struct usb_interface *interface, const struct usb_device_id *id) unsigned int num_endpoints; struct most_channel_capability *tmp_cap; struct usb_endpoint_descriptor *ep_desc; - int ret = 0; + int ret = -ENOMEM; if (!mdev) - goto err_out_of_memory; + return -ENOMEM; usb_set_intfdata(interface, mdev); num_endpoints = usb_iface_desc->desc.bNumEndpoints; + if (num_endpoints > MAX_NUM_ENDPOINTS) { + kfree(mdev); + return -EINVAL; + } mutex_init(&mdev->io_mutex); INIT_WORK(&mdev->poll_work_obj, wq_netinfo); timer_setup(&mdev->link_stat_timer, link_stat_timer_handler, 0); @@ -1085,11 +1089,6 @@ hdm_probe(struct usb_interface *interface, const struct usb_device_id *id) kfree(mdev->conf); err_free_mdev: put_device(&mdev->dev); -err_out_of_memory: - if (ret == 0 || ret == -ENOMEM) { - ret = -ENOMEM; - dev_err(dev, "out of memory\n"); - } return ret; } -- 2.7.4