Subject:    [PATCH v2] mct_u232: sanity checking in probe
From:       Oliver Neukum <oneukum@suse.com>
Date:       2016-03-21 13:14:37

An attack using the lack of sanity checking in probe
is known. This patch checks for the existance of a
second port.
CVE-2016-3136

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org

v1 - add sanity check for presence of a second port
v2 - add sanity check for an interrupt endpoint
---
 drivers/usb/serial/mct_u232.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 4446b8d..3e64538 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
 {
 	struct mct_u232_private *priv;
 
+	/* check first to simplify error handling */
+	if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
+		return -ENODEV;
+
 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
-- 
2.1.4