On Fri, Mar 18, 2016 at 07:35:00PM +0100, Vladis Dronov wrote:
> The gtco driver expects at least one valid endpoint. If given
> malicious descriptors that specify 0 for the number of endpoints,
> it will crash in the probe function. Ensure there is at least
> one endpoint on the interface before using it. Fix minor coding
> style issue.
>
> The full report of this issue can be found here:
> http://seclists.org/bugtraq/2016/Mar/86
>
> Reported-by: Ralf Spenneberg <[email protected]>
> Signed-off-by: Vladis Dronov <[email protected]>
Applied, thank you.
> ---
> drivers/input/tablet/gtco.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
> index 3a7f3a4..7c18249 100644
> --- a/drivers/input/tablet/gtco.c
> +++ b/drivers/input/tablet/gtco.c
> @@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
> goto err_free_buf;
> }
>
> + /* Sanity check that a device has an endpoint */
> + if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
> + dev_err(&usbinterface->dev,
> + "Invalid number of endpoints\n");
> + error = -EINVAL;
> + goto err_free_urb;
> + }
> +
> /*
> * The endpoint is always altsetting 0, we know this since we know
> * this device only has one interrupt endpoint
> @@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
> * HID report descriptor
> */
> if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
> - HID_DEVICE_TYPE, &hid_desc) != 0){
> + HID_DEVICE_TYPE, &hid_desc) != 0) {
> dev_err(&usbinterface->dev,
> "Can't retrieve exta USB descriptor to get hid report
> descriptor length\n");
> error = -EIO;
> --
> 2.5.0
--
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
