USB: cdc-acm: more sanity checking

commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream. An attack has become available which pretends to be a quirky device circumventing normal sanity checks and crashes the kernel by an insufficient number of interfaces. This patch adds a check to the code path for quirky devices. Signed-off-by: Oliver Neukum <ONeukum@suse.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
author: Oliver Neukum <oneukum@suse.com> 2016-03-15 10:14:04 +0100
committer: Jiri Slaby <jslaby@suse.cz> 2016-04-11 16:44:04 +0200
commit: f475db149d75bf100084a813ce9e1e9f4fa508e7 (patch)
tree: a560cad1b8f4a5b4b5d47e7a4f6211a35305a1ee /drivers/usb
parent: 0db3d20b766d627cf60f61c9d2c3d92dc3359fa9 (diff)
download: lwn-f475db149d75bf100084a813ce9e1e9f4fa508e7.tar.gz
lwn-f475db149d75bf100084a813ce9e1e9f4fa508e7.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index c0ed832d8ad5..ba6b978d9de4 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -989,6 +989,9 @@ static int acm_probe(struct usb_interface *intf,
 	if (quirks == NO_UNION_NORMAL) {
 		data_interface = usb_ifnum_to_if(usb_dev, 1);
 		control_interface = usb_ifnum_to_if(usb_dev, 0);
+		/* we would crash */
+		if (!data_interface || !control_interface)
+			return -ENODEV;
 		goto skip_normal_probe;
 	}
author	Oliver Neukum <oneukum@suse.com>	2016-03-15 10:14:04 +0100
committer	Jiri Slaby <jslaby@suse.cz>	2016-04-11 16:44:04 +0200
commit	f475db149d75bf100084a813ce9e1e9f4fa508e7 (patch)
tree	a560cad1b8f4a5b4b5d47e7a4f6211a35305a1ee /drivers/usb
parent	0db3d20b766d627cf60f61c9d2c3d92dc3359fa9 (diff)
download	lwn-f475db149d75bf100084a813ce9e1e9f4fa508e7.tar.gz lwn-f475db149d75bf100084a813ce9e1e9f4fa508e7.zip