[PATCH 1/2] wireless: ath9k_htc: fix NULL-deref at probe

Johan Hovold Mon, 13 Mar 2017 05:45:52 -0700

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.


Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Cc: Sujith Manoharan <sujith.manoha...@atheros.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c 
b/drivers/net/wireless/ath/ath9k/hif_usb.c
index de2d212f39ec..9206955e865a 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1219,6 +1219,9 @@ static int send_eject_command(struct usb_interface 
*interface)
        u8 bulk_out_ep;
        int r;
 
+       if (iface_desc->desc.bNumEndpoints < 2)
+               return -ENODEV;
+
        /* Find bulk out endpoint */
        for (r = 1; r >= 0; r--) {
                endpoint = &iface_desc->endpoint[r].desc;
-- 
2.12.0

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/2] wireless: ath9k_htc: fix NULL-deref at probe

Reply via email to