On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote: > 4.5-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> > > commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream. > > The iowarrior driver expects at least one valid endpoint. If given > malicious descriptors that specify 0 for the number of endpoints, > it will crash in the probe function. Ensure there is at least > one endpoint on the interface before using it. [...] Which means our imaginary attacker will move on to providing a single endpoint of the wrong type. You've fixed the driver to reject the PoC descriptor without thinking about what the driver actually requires. I don't see the point of applying this to stable; it doesn't provide any meaningful security benefit. Ben. -- Ben Hutchings This sentence contradicts itself - no actually it doesn't.
Attachment:
signature.asc
Description: This is a digitally signed message part