Commit ca4f5edc authored by Johan Hovold's avatar Johan Hovold Committed by Sasha Levin

ath9k_htc: fix NULL-deref at probe

[ Upstream commit ebeb3667 ]

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 36bcce43 ("ath9k_htc: Handle storage devices")
Cc: stable <stable@vger.kernel.org>     # 2.6.39+
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
parent 783494a2
...@@ -1145,6 +1145,9 @@ static int send_eject_command(struct usb_interface *interface) ...@@ -1145,6 +1145,9 @@ static int send_eject_command(struct usb_interface *interface)
u8 bulk_out_ep; u8 bulk_out_ep;
int r; int r;
if (iface_desc->desc.bNumEndpoints < 2)
return -ENODEV;
/* Find bulk out endpoint */ /* Find bulk out endpoint */
for (r = 1; r >= 0; r--) { for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc; endpoint = &iface_desc->endpoint[r].desc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment