From 2ea39fc263c6a7589e15edb7d2d1c89fa569be53 Mon Sep 17 00:00:00 2001

From: Vladis Dronov <vdronov@redhat.com>

Date: Mon, 16 Nov 2015 15:55:11 -0200

Subject: [PATCH] usbvision: fix crash on detecting device with invalid

 configuration

The usbvision driver crashes when a specially crafted usb device with invalid

number of interfaces or endpoints is detected. This fix adds checks that the

device has proper configuration expected by the driver.

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>

Signed-off-by: Vladis Dronov <vdronov@redhat.com>

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

---

 drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-

 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c

index b693206f66dd..d1dc1a198e3e 100644

--- a/drivers/media/usb/usbvision/usbvision-video.c

+++ b/drivers/media/usb/usbvision/usbvision-video.c

@@ -1463,9 +1463,23 @@ static int usbvision_probe(struct usb_interface *intf,

 	if (usbvision_device_data[model].interface >= 0)

 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];

-	else

+	else if (ifnum < dev->actconfig->desc.bNumInterfaces)

 		interface = &dev->actconfig->interface[ifnum]->altsetting[0];

+	else {

+		dev_err(&intf->dev, "interface %d is invalid, max is %d\n",

+		    ifnum, dev->actconfig->desc.bNumInterfaces - 1);

+		ret = -ENODEV;

+		goto err_usb;

+	}

+

+	if (interface->desc.bNumEndpoints < 2) {

+		dev_err(&intf->dev, "interface %d has %d endpoints, but must"

+		    " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);

+		ret = -ENODEV;

+		goto err_usb;

+	}

 	endpoint = &interface->endpoint[1].desc;

+

 	if (!usb_endpoint_xfer_isoc(endpoint)) {

 		dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",

 		    __func__, ifnum);

-- 

2.5.0