From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Mon, 14 Mar 2016 10:38:31 -0400

Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors

The iowarrior driver expects at least one valid endpoint.  If given

malicious descriptors that specify 0 for the number of endpoints,

it will crash in the probe function.  Ensure there is at least

one endpoint on the interface before using it.

The full report of this issue can be found here:

http://seclists.org/bugtraq/2016/Mar/87

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>

Cc: stable <stable@vger.kernel.org>

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

---

 drivers/usb/misc/iowarrior.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c

index c6bfd13f6c92..1950e87b4219 100644

--- a/drivers/usb/misc/iowarrior.c

+++ b/drivers/usb/misc/iowarrior.c

@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,

 	iface_desc = interface->cur_altsetting;

 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);

+	if (iface_desc->desc.bNumEndpoints < 1) {

+		dev_err(&interface->dev, "Invalid number of endpoints\n");

+		retval = -EINVAL;

+		goto error;

+	}

+

 	/* set up the endpoint information */

 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {

 		endpoint = &iface_desc->endpoint[i].desc;

-- 

2.5.0