From patchwork Mon Mar 13 12:44:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 738097 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vhcz8184Kz9s78 for ; Mon, 13 Mar 2017 23:45:24 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="KNCegu9L"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752449AbdCMMoy (ORCPT ); Mon, 13 Mar 2017 08:44:54 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:33682 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750808AbdCMMot (ORCPT ); Mon, 13 Mar 2017 08:44:49 -0400 Received: by mail-lf0-f67.google.com with SMTP id r36so11764520lfi.0; Mon, 13 Mar 2017 05:44:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=W0aqc1LNEUvvqVTL0CNFjgp8pXKHEQkjqxGvigsEP3s=; b=KNCegu9Lcd09IkQK3BroXpZEwZfD301ILibIz31v2oUF3p78UNKxnFB3KBM189oTbo tXG37YuBQ3wLolPq7vOChMypkSvCDsJRCUgGCC8QLPuRxSjaRvJuLf2of/2URlZ4053l sagYMZJfGRtV8tyIAA+Dt55AHM/8g0YzxCfoP4RQPh/9aNKN7ISgPmPjgxYohi1qgndC 0WEUoZOukmabO7dClqjGTwYoEb0KUxJxMZmNgWXQTD/08pSH6y2MfVc5Tmz2sBuPcIIB Ggh0mL45vChwNwIwPmjtvAt0OYoivQ7GiZUxy357JbCgsJzLIg0IM1uSi7LCuUlxHnjh TYow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=W0aqc1LNEUvvqVTL0CNFjgp8pXKHEQkjqxGvigsEP3s=; b=bddRYl0sLakQgKHLbRVNTT/IgL8AQfL4GaUW0rUve9Q5C+PeyGJhqzt0Qa3EeNiv3b SX+wEhyew3Q3G++W2b6gp2MyWlk5iK8Qp4+y2nkJhcz4IAqQsydrUaqNjsT5UL92sa07 Y/kL3+D19AL8kwR8jz7L21zbdZbMT5T51S9L8dSJY8DvH7YKzHiV/LWR9/QBxHm6EwmA qaRuL7HgOX+jZul4EFkv6frY2BgFAjLhucFficmdowzEb9SRvHhDJrWgmqf0oaw8kT25 X3MR1f4uJ3QBxM+LWDtf3+FV7do580D0Oc0wKeeiMTKGLcBtSet5nyVyGMJifanOat9Z AjCA== X-Gm-Message-State: AMke39mclVA+iEqzSfI4BLpb0mhNz3FEX6/aXzr8rc9iZrjWcnni/XNpBS7DgZBVGXB8tw== X-Received: by 10.25.43.8 with SMTP id r8mr7346798lfr.41.1489409086380; Mon, 13 Mar 2017 05:44:46 -0700 (PDT) Received: from xi.terra ([84.216.234.102]) by smtp.gmail.com with ESMTPSA id t125sm3556659lff.31.2017.03.13.05.44.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Mar 2017 05:44:45 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.89) (envelope-from ) id 1cnPL3-0007Ro-3D; Mon, 13 Mar 2017 13:44:37 +0100 From: Johan Hovold To: Kalle Valo Cc: QCA ath9k Development , Daniel Drake , Ulrich Kunitz , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , Sujith Manoharan Subject: [PATCH 1/2] wireless: ath9k_htc: fix NULL-deref at probe Date: Mon, 13 Mar 2017 13:44:20 +0100 Message-Id: <20170313124421.28587-1-johan@kernel.org> X-Mailer: git-send-email 2.12.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory beyond the endpoint array should a malicious device lack the expected endpoints. Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") Cc: Sujith Manoharan Signed-off-by: Johan Hovold --- drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index de2d212f39ec..9206955e865a 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -1219,6 +1219,9 @@ static int send_eject_command(struct usb_interface *interface) u8 bulk_out_ep; int r; + if (iface_desc->desc.bNumEndpoints < 2) + return -ENODEV; + /* Find bulk out endpoint */ for (r = 1; r >= 0; r--) { endpoint = &iface_desc->endpoint[r].desc;