From: Johan Hovold <jo...@kernel.org>
[ Upstream commit ca260ece6a57dc7d751e0685f51fa2c55d851873 ]
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into
WLAN device")
Cc: Daniel Drake <d...@gentoo.org>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.le...@microsoft.com>
---
drivers/net/wireless/zydas/zd1211rw/zd_usb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
index c5effd6c6be9..01ca1d57b3d9 100644
--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
@@ -1278,6 +1278,9 @@ static int eject_installer(struct usb_interface *intf)
u8 bulk_out_ep;
int r;
+ if (iface_desc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
/* Find bulk out endpoint */
for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc;
--
2.14.1
