Commit ea9c77de authored by Johan Hovold's avatar Johan Hovold Committed by Kelsey Skunberg

media: ov519: add missing endpoint sanity checks

CVE-2020-11608

Make sure to check that we have at least one endpoint before accessing
the endpoint array to avoid dereferencing a NULL-pointer on stream
start.

Note that these sanity checks are not redundant as the driver is mixing
looking up altsettings by index and by number, which need not coincide.

Fixes: 1876bb92 ("V4L/DVB (12079): gspca_ov519: add support for the ov511 bridge")
Fixes: b282d873 ("V4L/DVB (12080): gspca_ov519: Fix ov518+ with OV7620AE (Trust spacecam 320)")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
(cherry picked from commit 99891234)
Signed-off-by: default avatarPo-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
parent 7e15b584
...@@ -3512,6 +3512,11 @@ static void ov511_mode_init_regs(struct sd *sd) ...@@ -3512,6 +3512,11 @@ static void ov511_mode_init_regs(struct sd *sd)
return; return;
} }
if (alt->desc.bNumEndpoints < 1) {
sd->gspca_dev.usb_err = -ENODEV;
return;
}
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5); reg_w(sd, R51x_FIFO_PSIZE, packet_size >> 5);
...@@ -3642,6 +3647,11 @@ static void ov518_mode_init_regs(struct sd *sd) ...@@ -3642,6 +3647,11 @@ static void ov518_mode_init_regs(struct sd *sd)
return; return;
} }
if (alt->desc.bNumEndpoints < 1) {
sd->gspca_dev.usb_err = -ENODEV;
return;
}
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2); ov518_reg_w32(sd, R51x_FIFO_PSIZE, packet_size & ~7, 2);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment