Input: gtco - fix crash on detecting device without endpoints

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The gtco driver expects at least one valid endpoint. If given malicious
descriptors that specify 0 for the number of endpoints, it will crash in
the probe function. Ensure there is at least one endpoint on the interface
before using it.

Also let's fix a minor coding style issue.

The full correct report of this issue can be found in the public
Red Hat Bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1283385

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Vladis Dronov and committed by

Dmitry Torokhov 10 years ago 162f98de d314e9e8

+9 -1

1 changed file

expand all

drivers

input

tablet

gtco.c

+9 -1

drivers/input/tablet/gtco.c

··· 858 858 goto err_free_buf; 859 859 } 860 860 861 + /* Sanity check that a device has an endpoint */ 862 + if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { 863 + dev_err(&usbinterface->dev, 864 + "Invalid number of endpoints\n"); 865 + error = -EINVAL; 866 + goto err_free_urb; 867 + } 868 + 861 869 /* 862 870 * The endpoint is always altsetting 0, we know this since we know 863 871 * this device only has one interrupt endpoint ··· 887 879 * HID report descriptor 888 880 */ 889 881 if (usb_get_extra_descriptor(usbinterface->cur_altsetting, 890 - HID_DEVICE_TYPE, &hid_desc) != 0){ 882 + HID_DEVICE_TYPE, &hid_desc) != 0) { 891 883 dev_err(&usbinterface->dev, 892 884 "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); 893 885 error = -EIO;