Input: iforce - validate number of endpoints before using them

[ Upstream commit 59cf8bed ] Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory that lie beyond the end of the endpoint array should a malicious device lack the expected endpoints. Signed-off-by: Johan Hovold <johan@kernel.org> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>

Input: iforce - validate number of endpoints before using them
[ Upstream commit 59cf8bed ] Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory that lie beyond the end of the endpoint array should a malicious device lack the expected endpoints. Signed-off-by: Johan Hovold <johan@kernel.org> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
76d98101 · Johan Hovold · Sasha Levin · edf3bd95 · 76d98101
Commit 76d98101 authored Mar 16, 2017 by Johan Hovold Committed by Sasha Levin May 17, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/input/joystick/iforce/iforce-usb.c drivers/input/joystick/iforce/iforce-usb.c +3 -0

No files found.
--- a/drivers/input/joystick/iforce/iforce-usb.c
+++ b/drivers/input/joystick/iforce/iforce-usb.c
@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_interface *intf,

 	interface = intf->cur_altsetting;

+	if (interface->desc.bNumEndpoints < 2)
+		return -ENODEV;
+
 	epirq = &interface->endpoint[0].desc;
 	epout = &interface->endpoint[1].desc;