Module Name: src
Committed By: riastradh
Date: Sun Jun 26 21:35:53 UTC 2022
Modified Files:
src/sys/dev/usb: umcs.c
Log Message:
umcs(4): Reject invalid interrupt endpoints.
Reported-by: syzbot+cd1e60e112e840e40...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/dev/usb/umcs.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/umcs.c
diff -u src/sys/dev/usb/umcs.c:1.19 src/sys/dev/usb/umcs.c:1.20
--- src/sys/dev/usb/umcs.c:1.19 Tue Apr 19 01:35:28 2022
+++ src/sys/dev/usb/umcs.c Sun Jun 26 21:35:53 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: umcs.c,v 1.19 2022/04/19 01:35:28 riastradh Exp $ */
+/* $NetBSD: umcs.c,v 1.20 2022/06/26 21:35:53 riastradh Exp $ */
/* $FreeBSD: head/sys/dev/usb/serial/umcs.c 260559 2014-01-12 11:44:28Z hselasky $ */
/*-
@@ -41,7 +41,7 @@
*
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: umcs.c,v 1.19 2022/04/19 01:35:28 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: umcs.c,v 1.20 2022/06/26 21:35:53 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -276,6 +276,12 @@ umcs7840_attach(device_t parent, device_
sc->sc_dying = true;
return;
}
+ if (sc->sc_intr_buflen == 0) {
+ aprint_error_dev(self, "invalid interrupt endpoint"
+ " (addr %d)\n", intr_addr);
+ sc->sc_dying = true;
+ return;
+ }
sc->sc_intr_buf = kmem_alloc(sc->sc_intr_buflen, KM_SLEEP);
error = usbd_open_pipe_intr(sc->sc_iface, intr_addr,
