diff options
Diffstat (limited to 'freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch')
| -rw-r--r-- | freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch b/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch new file mode 100644 index 000000000..849f607a5 --- /dev/null +++ b/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch @@ -0,0 +1,49 @@ +Subject: [PATCH] Input: gtco: fix crash on detecting device without endpoints +From: Vladis Dronov <vdronov@redhat.com> +Date: 2016-03-18 18:35:00 + +The gtco driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. Fix minor coding +style issue. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/86 + +Reported-by: Ralf Spenneberg <ralf@spenneberg.net> +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +--- + drivers/input/tablet/gtco.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c +index 3a7f3a4..7c18249 100644 +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface, + goto err_free_buf; + } + ++ /* Sanity check that a device has an endpoint */ ++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ dev_err(&usbinterface->dev, ++ "Invalid number of endpoints\n"); ++ error = -EINVAL; ++ goto err_free_urb; ++ } ++ + /* + * The endpoint is always altsetting 0, we know this since we know + * this device only has one interrupt endpoint +@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface, + * HID report descriptor + */ + if (usb_get_extra_descriptor(usbinterface->cur_altsetting, +- HID_DEVICE_TYPE, &hid_desc) != 0){ ++ HID_DEVICE_TYPE, &hid_desc) != 0) { + dev_err(&usbinterface->dev, + "Can't retrieve exta USB descriptor to get hid report descriptor length\n"); + error = -EIO; +-- +2.5.0 |
