|
 |
6850d1e |
Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints
|
|
|
6850d1e |
From: Vladis Dronov <vdronov@redhat.com>
|
|
|
6850d1e |
Date: 2016-03-18 18:35:00
|
|
|
6850d1e |
|
|
|
6850d1e |
The gtco driver expects at least one valid endpoint. If given
|
|
|
6850d1e |
malicious descriptors that specify 0 for the number of endpoints,
|
|
|
6850d1e |
it will crash in the probe function. Ensure there is at least
|
|
|
6850d1e |
one endpoint on the interface before using it. Fix minor coding
|
|
|
6850d1e |
style issue.
|
|
|
6850d1e |
|
|
|
6850d1e |
The full report of this issue can be found here:
|
|
|
6850d1e |
http://seclists.org/bugtraq/2016/Mar/86
|
|
|
6850d1e |
|
|
|
6850d1e |
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
|
|
|
6850d1e |
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
|
|
6850d1e |
---
|
|
|
6850d1e |
drivers/input/tablet/gtco.c | 10 +++++++++-
|
|
|
6850d1e |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
6850d1e |
|
|
|
6850d1e |
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
|
|
|
6850d1e |
index 3a7f3a4..7c18249 100644
|
|
|
6850d1e |
--- a/drivers/input/tablet/gtco.c
|
|
|
6850d1e |
+++ b/drivers/input/tablet/gtco.c
|
|
|
6850d1e |
@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
|
|
6850d1e |
goto err_free_buf;
|
|
|
6850d1e |
}
|
|
|
6850d1e |
|
|
|
6850d1e |
+ /* Sanity check that a device has an endpoint */
|
|
|
6850d1e |
+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
|
|
|
6850d1e |
+ dev_err(&usbinterface->dev,
|
|
|
6850d1e |
+ "Invalid number of endpoints\n");
|
|
|
6850d1e |
+ error = -EINVAL;
|
|
|
6850d1e |
+ goto err_free_urb;
|
|
|
6850d1e |
+ }
|
|
|
6850d1e |
+
|
|
|
6850d1e |
/*
|
|
|
6850d1e |
* The endpoint is always altsetting 0, we know this since we know
|
|
|
6850d1e |
* this device only has one interrupt endpoint
|
|
|
6850d1e |
@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
|
|
|
6850d1e |
* HID report descriptor
|
|
|
6850d1e |
*/
|
|
|
6850d1e |
if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
|
|
|
6850d1e |
- HID_DEVICE_TYPE, &hid_desc) != 0){
|
|
|
6850d1e |
+ HID_DEVICE_TYPE, &hid_desc) != 0) {
|
|
|
6850d1e |
dev_err(&usbinterface->dev,
|
|
|
6850d1e |
"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
|
|
|
6850d1e |
error = -EIO;
|
|
|
6850d1e |
--
|
|
|
6850d1e |
2.5.0
|