On Mon, Mar 21, 2016 at 03:57:37PM +0100, Oliver Neukum wrote:
> The driver can be crashed with devices that expose crafted
> descriptors with too few endpoints.
> See:
> http://seclists.org/bugtraq/2016/Mar/61
>
> Signed-off-by: Oliver Neukum <[email protected]>
>
> v1 - added sanity checks
> v2 - moved them to probe() to fix problems Johan pointed out
> ---
> drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++-----
> 1 file changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/usb/serial/digi_acceleport.c
> b/drivers/usb/serial/digi_acceleport.c
> index 12b0e67..dab1dcf 100644
> --- a/drivers/usb/serial/digi_acceleport.c
> +++ b/drivers/usb/serial/digi_acceleport.c
> @@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port,
> unsigned port_num)
> static int digi_startup(struct usb_serial *serial)
> {
> struct digi_serial *serial_priv;
> - int ret;
> + int ret = -ENODEV;
> + int i;
>
> serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
> if (!serial_priv)
> @@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial)
>
> spin_lock_init(&serial_priv->ds_serial_lock);
> serial_priv->ds_oob_port_num = serial->type->num_ports;
> +
> + /* Check whether the expected number of ports matches the device */
> + if (serial->num_ports < serial_priv->ds_oob_port_num)
> + goto error;
This should be
if (serial->num_port_pointers < serial->type->num_ports + 1)
as serial->num_ports will (generally) equal serial->type->num_ports, and
we need to check that we got one more port structure than we requested.
I fixed that up and moved the check above the private-data allocation.
Thanks,
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
