Commit 09068c1a authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman

USB: atm: ueagle-atm: add missing endpoint check

Make sure that the interrupt interface has an endpoint before trying to
access its endpoint descriptors to avoid dereferencing a NULL pointer.

The driver binds to the interrupt interface with interface number 0, but
must not assume that this interface or its current alternate setting are
the first entries in the corresponding configuration arrays.

Fixes: b72458a8 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.16
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3c11c4be
...@@ -2124,10 +2124,11 @@ static void uea_intr(struct urb *urb) ...@@ -2124,10 +2124,11 @@ static void uea_intr(struct urb *urb)
/* /*
* Start the modem : init the data and start kernel thread * Start the modem : init the data and start kernel thread
*/ */
static int uea_boot(struct uea_softc *sc) static int uea_boot(struct uea_softc *sc, struct usb_interface *intf)
{ {
int ret, size;
struct intr_pkt *intr; struct intr_pkt *intr;
int ret = -ENOMEM;
int size;
uea_enters(INS_TO_USBDEV(sc)); uea_enters(INS_TO_USBDEV(sc));
...@@ -2152,6 +2153,11 @@ static int uea_boot(struct uea_softc *sc) ...@@ -2152,6 +2153,11 @@ static int uea_boot(struct uea_softc *sc)
if (UEA_CHIP_VERSION(sc) == ADI930) if (UEA_CHIP_VERSION(sc) == ADI930)
load_XILINX_firmware(sc); load_XILINX_firmware(sc);
if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
ret = -ENODEV;
goto err0;
}
intr = kmalloc(size, GFP_KERNEL); intr = kmalloc(size, GFP_KERNEL);
if (!intr) if (!intr)
goto err0; goto err0;
...@@ -2163,8 +2169,7 @@ static int uea_boot(struct uea_softc *sc) ...@@ -2163,8 +2169,7 @@ static int uea_boot(struct uea_softc *sc)
usb_fill_int_urb(sc->urb_int, sc->usb_dev, usb_fill_int_urb(sc->urb_int, sc->usb_dev,
usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE),
intr, size, uea_intr, sc, intr, size, uea_intr, sc,
sc->usb_dev->actconfig->interface[0]->altsetting[0]. intf->cur_altsetting->endpoint[0].desc.bInterval);
endpoint[0].desc.bInterval);
ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); ret = usb_submit_urb(sc->urb_int, GFP_KERNEL);
if (ret < 0) { if (ret < 0) {
...@@ -2179,6 +2184,7 @@ static int uea_boot(struct uea_softc *sc) ...@@ -2179,6 +2184,7 @@ static int uea_boot(struct uea_softc *sc)
sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm");
if (IS_ERR(sc->kthread)) { if (IS_ERR(sc->kthread)) {
uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); uea_err(INS_TO_USBDEV(sc), "failed to create thread\n");
ret = PTR_ERR(sc->kthread);
goto err2; goto err2;
} }
...@@ -2193,7 +2199,7 @@ static int uea_boot(struct uea_softc *sc) ...@@ -2193,7 +2199,7 @@ static int uea_boot(struct uea_softc *sc)
kfree(intr); kfree(intr);
err0: err0:
uea_leaves(INS_TO_USBDEV(sc)); uea_leaves(INS_TO_USBDEV(sc));
return -ENOMEM; return ret;
} }
/* /*
...@@ -2548,7 +2554,7 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf, ...@@ -2548,7 +2554,7 @@ static int uea_bind(struct usbatm_data *usbatm, struct usb_interface *intf,
} }
} }
ret = uea_boot(sc); ret = uea_boot(sc, intf);
if (ret < 0) if (ret < 0)
goto error; goto error;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment