Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754257AbcDVLOH (ORCPT <rfc822;w@1wt.eu>);
	Fri, 22 Apr 2016 07:14:07 -0400
Received: from mx2.suse.de ([195.135.220.15]:43950 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753703AbcDVLGa (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 22 Apr 2016 07:06:30 -0400
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Vladis Dronov <vdronov@redhat.com>,
        Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
        Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 56/78] usbvision: fix crash on detecting device with invalid configuration
Date: Fri, 22 Apr 2016 13:05:39 +0200
Message-Id: <5b166252bc3084f069bf8213ca5fa0861ccd44c4.1461323133.git.jslaby@suse.cz>
X-Mailer: git-send-email 2.8.1
In-Reply-To: <e6927c3f8ba5d1c4cf9a32edcaeaef4f9d3b9764.1461323133.git.jslaby@suse.cz>
References: <e6927c3f8ba5d1c4cf9a32edcaeaef4f9d3b9764.1461323133.git.jslaby@suse.cz>
In-Reply-To: <cover.1461323133.git.jslaby@suse.cz>
References: <cover.1461323133.git.jslaby@suse.cz>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1920
Lines: 51

From: Vladis Dronov <vdronov@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit fa52bd506f274b7619955917abfde355e3d19ffe upstream.

The usbvision driver crashes when a specially crafted usb device with invalid
number of interfaces or endpoints is detected. This fix adds checks that the
device has proper configuration expected by the driver.

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index 632a3f117c88..d4a222ea8197 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1548,9 +1548,23 @@ static int usbvision_probe(struct usb_interface *intf,
 
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
-	else
+	else if (ifnum < dev->actconfig->desc.bNumInterfaces)
 		interface = &dev->actconfig->interface[ifnum]->altsetting[0];
+	else {
+		dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
+		    ifnum, dev->actconfig->desc.bNumInterfaces - 1);
+		ret = -ENODEV;
+		goto err_usb;
+	}
+
+	if (interface->desc.bNumEndpoints < 2) {
+		dev_err(&intf->dev, "interface %d has %d endpoints, but must"
+		    " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
+		ret = -ENODEV;
+		goto err_usb;
+	}
 	endpoint = &interface->endpoint[1].desc;
+
 	if (!usb_endpoint_xfer_isoc(endpoint)) {
 		dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
 		    __func__, ifnum);
-- 
2.8.1