Commit 485b06aa authored by Johan Hovold's avatar Johan Hovold Committed by Mauro Carvalho Chehab

media: stv06xx: add missing descriptor sanity checks

Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.

This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.

Note that the sanity checks in stv06xx_start() and pb0100_start() are
not redundant as the driver is mixing looking up altsettings by index
and by number, which may not coincide.

Fixes: 8668d504 ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor")
Fixes: c0b33bdc ("[media] gspca-stv06xx: support bandwidth changing")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent 99891234
...@@ -282,6 +282,9 @@ static int stv06xx_start(struct gspca_dev *gspca_dev) ...@@ -282,6 +282,9 @@ static int stv06xx_start(struct gspca_dev *gspca_dev)
return -EIO; return -EIO;
} }
if (alt->desc.bNumEndpoints < 1)
return -ENODEV;
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size); err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
if (err < 0) if (err < 0)
...@@ -306,11 +309,21 @@ static int stv06xx_start(struct gspca_dev *gspca_dev) ...@@ -306,11 +309,21 @@ static int stv06xx_start(struct gspca_dev *gspca_dev)
static int stv06xx_isoc_init(struct gspca_dev *gspca_dev) static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
{ {
struct usb_interface_cache *intfc;
struct usb_host_interface *alt; struct usb_host_interface *alt;
struct sd *sd = (struct sd *) gspca_dev; struct sd *sd = (struct sd *) gspca_dev;
intfc = gspca_dev->dev->actconfig->intf_cache[0];
if (intfc->num_altsetting < 2)
return -ENODEV;
alt = &intfc->altsetting[1];
if (alt->desc.bNumEndpoints < 1)
return -ENODEV;
/* Start isoc bandwidth "negotiation" at max isoc bandwidth */ /* Start isoc bandwidth "negotiation" at max isoc bandwidth */
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
alt->endpoint[0].desc.wMaxPacketSize = alt->endpoint[0].desc.wMaxPacketSize =
cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]); cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
...@@ -323,6 +336,10 @@ static int stv06xx_isoc_nego(struct gspca_dev *gspca_dev) ...@@ -323,6 +336,10 @@ static int stv06xx_isoc_nego(struct gspca_dev *gspca_dev)
struct usb_host_interface *alt; struct usb_host_interface *alt;
struct sd *sd = (struct sd *) gspca_dev; struct sd *sd = (struct sd *) gspca_dev;
/*
* Existence of altsetting and endpoint was verified in
* stv06xx_isoc_init()
*/
alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1]; alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode]; min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];
......
...@@ -185,6 +185,10 @@ static int pb0100_start(struct sd *sd) ...@@ -185,6 +185,10 @@ static int pb0100_start(struct sd *sd)
alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt); alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
if (!alt) if (!alt)
return -ENODEV; return -ENODEV;
if (alt->desc.bNumEndpoints < 1)
return -ENODEV;
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
/* If we don't have enough bandwidth use a lower framerate */ /* If we don't have enough bandwidth use a lower framerate */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment