Commit 86a283d3 authored by Johan Hovold's avatar Johan Hovold Committed by Willy Tarreau

USB: whiteheat: fix potential null-deref at probe

commit cbb4be65 upstream.

Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.

The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.

Fixes CVE-2015-5257.
Reported-by: default avatarMoein Ghasemzadeh <moein@istuary.com>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent bce7c92e
......@@ -143,6 +143,8 @@ static int whiteheat_firmware_download(struct usb_serial *serial,
static int whiteheat_firmware_attach(struct usb_serial *serial);
/* function prototypes for the Connect Tech WhiteHEAT serial converter */
static int whiteheat_probe(struct usb_serial *serial,
const struct usb_device_id *id);
static int whiteheat_attach(struct usb_serial *serial);
static void whiteheat_release(struct usb_serial *serial);
static int whiteheat_open(struct tty_struct *tty,
......@@ -188,6 +190,7 @@ static struct usb_serial_driver whiteheat_device = {
.usb_driver = &whiteheat_driver,
.id_table = id_table_std,
.num_ports = 4,
.probe = whiteheat_probe,
.attach = whiteheat_attach,
.release = whiteheat_release,
.open = whiteheat_open,
......@@ -387,6 +390,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
/*****************************************************************************
* Connect Tech's White Heat serial driver functions
*****************************************************************************/
static int whiteheat_probe(struct usb_serial *serial,
const struct usb_device_id *id)
{
struct usb_host_interface *iface_desc;
struct usb_endpoint_descriptor *endpoint;
size_t num_bulk_in = 0;
size_t num_bulk_out = 0;
size_t min_num_bulk;
unsigned int i;
iface_desc = serial->interface->cur_altsetting;
for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
endpoint = &iface_desc->endpoint[i].desc;
if (usb_endpoint_is_bulk_in(endpoint))
++num_bulk_in;
if (usb_endpoint_is_bulk_out(endpoint))
++num_bulk_out;
}
min_num_bulk = COMMAND_PORT + 1;
if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
return -ENODEV;
return 0;
}
static int whiteheat_attach(struct usb_serial *serial)
{
struct usb_serial_port *command_port;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment