Commit 795ecd95 authored by Johan Hovold's avatar Johan Hovold Committed by Ben Hutchings

zd1211rw: fix NULL-deref at probe

commit ca260ece upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: a1030e92 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
Cc: Daniel Drake <dsd@gentoo.org>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 135e5d48
...@@ -1281,6 +1281,9 @@ static int eject_installer(struct usb_interface *intf) ...@@ -1281,6 +1281,9 @@ static int eject_installer(struct usb_interface *intf)
u8 bulk_out_ep; u8 bulk_out_ep;
int r; int r;
if (iface_desc->desc.bNumEndpoints < 2)
return -ENODEV;
/* Find bulk out endpoint */ /* Find bulk out endpoint */
for (r = 1; r >= 0; r--) { for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc; endpoint = &iface_desc->endpoint[r].desc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment