On Mon, Mar 13, 2017 at 03:17:39PM +0100, Johan Hovold wrote:
> [ Adding linux-usb which I forgot to CC for this one ]
>
> On Mon, Mar 13, 2017 at 06:42:45AM -0700, Guenter Roeck wrote:
> > On 03/13/2017 05:49 AM, Johan Hovold wrote:
> > > Make sure to check the number of endpoints to avoid dereferencing a
> > > NULL-pointer should a malicious device lack endpoints.
> > >
> >
> > Is this theory or was it actually observed ?
>
> This was found through inspection, but creating a USB device to crash a
> host with this driver enabled is easily done.
>
Ok, makes sense. I see other drivers doing a similar check.
Guenter
> > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > Cc: stable <stable@xxxxxxxxxxxxxxx>
> > > Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> > > ---
> > > drivers/watchdog/pcwd_usb.c | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/watchdog/pcwd_usb.c b/drivers/watchdog/pcwd_usb.c
> > > index 99ebf6ea3de6..5615f4013924 100644
> > > --- a/drivers/watchdog/pcwd_usb.c
> > > +++ b/drivers/watchdog/pcwd_usb.c
> > > @@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_interface *interface,
> > > return -ENODEV;
> > > }
> > >
> > > + if (iface_desc->desc.bNumEndpoints < 1)
> > > + return -ENODEV;
> > > +
> > > /* check out the endpoint: it has to be Interrupt & IN */
> > > endpoint = &iface_desc->endpoint[0].desc;
> > >
> > >
>
> Johan