Commit 670a7c5d authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman

ath9k_htc: fix NULL-deref at probe

commit ebeb3667 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 36bcce43 ("ath9k_htc: Handle storage devices")
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8431037b
...@@ -1217,6 +1217,9 @@ static int send_eject_command(struct usb_interface *interface) ...@@ -1217,6 +1217,9 @@ static int send_eject_command(struct usb_interface *interface)
u8 bulk_out_ep; u8 bulk_out_ep;
int r; int r;
if (iface_desc->desc.bNumEndpoints < 2)
return -ENODEV;
/* Find bulk out endpoint */ /* Find bulk out endpoint */
for (r = 1; r >= 0; r--) { for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc; endpoint = &iface_desc->endpoint[r].desc;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment