Input: iforce - validate number of endpoints before using them

commit 59cf8bed upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory that lie beyond the end of the endpoint array should a malicious device lack the expected endpoints. Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Input: iforce - validate number of endpoints before using them
commit 59cf8bed upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory that lie beyond the end of the endpoint array should a malicious device lack the expected endpoints. Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
0afac79f · Johan Hovold · Greg Kroah-Hartman · de2ba808 · 0afac79f
Commit 0afac79f authored Mar 16, 2017 by Johan Hovold Committed by Greg Kroah-Hartman Mar 30, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/input/joystick/iforce/iforce-usb.c drivers/input/joystick/iforce/iforce-usb.c +3 -0

No files found.
--- a/drivers/input/joystick/iforce/iforce-usb.c
+++ b/drivers/input/joystick/iforce/iforce-usb.c
@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_interface *intf,

 	interface = intf->cur_altsetting;

+	if (interface->desc.bNumEndpoints < 2)
+		return -ENODEV;
+
 	epirq = &interface->endpoint[0].desc;
 	epout = &interface->endpoint[1].desc;