3.2.80-rc1 review patch. If anyone has any objections, please let me know.
------------------ From: Oliver Neukum <[email protected]> commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream. An attack using the lack of sanity checking in probe is known. This patch checks for the existence of a second port. CVE-2016-3136 Signed-off-by: Oliver Neukum <[email protected]> [johan: add error message ] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> [bwh: Backported to 3.2: put the check in mct_u232_startup(), which already has a 'serial' variable] Signed-off-by: Ben Hutchings <[email protected]> --- --- a/drivers/usb/serial/mct_u232.c +++ b/drivers/usb/serial/mct_u232.c @@ -443,6 +443,12 @@ static int mct_u232_startup(struct usb_s struct mct_u232_private *priv; struct usb_serial_port *port, *rport; + /* check first to simplify error handling */ + if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { + dev_err(&port->dev, "expected endpoint missing\n"); + return -ENODEV; + } + priv = kzalloc(sizeof(struct mct_u232_private), GFP_KERNEL); if (!priv) return -ENOMEM;
