diff options
| author | Shuah Khan <shuahkh@osg.samsung.com> | 2017-12-07 14:16:47 -0700 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-02-13 18:42:32 +0000 |
| commit | 65060ba29cc54b3d5f76ceacf3c820f2087c35e6 (patch) | |
| tree | 87b31eed5569cd345c9d851661a532d86cc7dbba | |
| parent | d848638ac8f13ed35ed1027bfe56d74d2a46beb8 (diff) | |
| download | linux-65060ba29cc54b3d5f76ceacf3c820f2087c35e6.tar.gz linux-65060ba29cc54b3d5f76ceacf3c820f2087c35e6.tar.bz2 linux-65060ba29cc54b3d5f76ceacf3c820f2087c35e6.zip | |
usbip: fix stub_rx: get_pipe() to validate endpoint number
commit 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 upstream.
get_pipe() routine doesn't validate the input endpoint number
and uses to reference ep_in and ep_out arrays. Invalid endpoint
number can trigger BUG(). Range check the epnum and returning
error instead of calling BUG().
Change caller stub_recv_cmd_submit() to handle the get_pipe()
error return.
Reported-by: Secunia Research <vuln@secunia.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | drivers/staging/usbip/stub_rx.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/drivers/staging/usbip/stub_rx.c b/drivers/staging/usbip/stub_rx.c index f662e1b95fab..248184462375 100644 --- a/drivers/staging/usbip/stub_rx.c +++ b/drivers/staging/usbip/stub_rx.c @@ -342,15 +342,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) struct usb_host_endpoint *ep; struct usb_endpoint_descriptor *epd = NULL; + if (epnum < 0 || epnum > 15) + goto err_ret; + if (dir == USBIP_DIR_IN) ep = udev->ep_in[epnum & 0x7f]; else ep = udev->ep_out[epnum & 0x7f]; - if (!ep) { - dev_err(&sdev->udev->dev, "no such endpoint?, %d\n", - epnum); - BUG(); - } + if (!ep) + goto err_ret; epd = &ep->desc; if (usb_endpoint_xfer_control(epd)) { @@ -381,9 +381,10 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) return usb_rcvisocpipe(udev, epnum); } +err_ret: /* NOT REACHED */ - dev_err(&sdev->udev->dev, "get pipe, epnum %d\n", epnum); - return 0; + dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum); + return -1; } static void masking_bogus_flags(struct urb *urb) @@ -449,6 +450,9 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, struct usb_device *udev = sdev->udev; int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); + if (pipe == -1) + return; + priv = stub_priv_alloc(sdev, pdu); if (!priv) return; |