From patchwork Mon Mar 13 12:44:21 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Johan Hovold <johan@kernel.org>
X-Patchwork-Id: 9620721
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0FE7560414 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 13 Mar 2017 12:45:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F3F312848D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 13 Mar 2017 12:45:17 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E8CBE2848F; Mon, 13 Mar 2017 12:45:17 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B258D2848D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 13 Mar 2017 12:45:17 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752996AbdCMMo4 (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 13 Mar 2017 08:44:56 -0400
Received: from mail-lf0-f67.google.com ([209.85.215.67]:35353 "EHLO
	mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751047AbdCMMot (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Mon, 13 Mar 2017 08:44:49 -0400
Received: by mail-lf0-f67.google.com with SMTP id v2so11751193lfi.2;
	Mon, 13 Mar 2017 05:44:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=LHCsZZjI4D2SHIlzebA+iKcO2HaCZX/jIxgkUWdADyg=;
	b=jPfrA2jjQW6lK5MI8hRmFrcpqbcvzEXl8vZJC++jl9PLQDD2V0bjndJSmBrPl8NtOl
	xp5ZlBZo7ixvrxtx1e+mw76kVojBF/rBd5+mY8Nmeli04lbyKVD9/VC9TyHE99IsiR7X
	NNvdhMn94UWCwtqvdMtmYys2LzcliUONudoOlHgO//iOs430b1vW+plhgyfiQJL3v1Ae
	76CuQPQ/VrU+w+t9UYtZ21I9vhPP4HWW5EqzPMq9PGBy/OTS4oRqrX+6TpYqH4csW+qY
	iXneQaw7/e8oy6obmYlP+3cq8HvGV7ZU4pcVoEUB5aFNZnVhLPYdaaW7kZt+YjvkKriT
	II/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=LHCsZZjI4D2SHIlzebA+iKcO2HaCZX/jIxgkUWdADyg=;
	b=bpeNeCE5ImkhJ5s7l/YIbAd+9wAmYIwExomRVBSe4J+QK1wvA8WLhihMnKRRFST3rv
	47hfxxI5opgp3Zcz2YK3GF++xubJkcgkWiwmUmGJpk+n8Py+Me5e5hD2GFV+MSZzoytQ
	A/tU2VLFA2wJiH8bPaymr9k76wPJJaJCIlPhU7ritGu4o7cYA7BaEo/llIGkf9zp2WFU
	gHZCSNJ0Kxh/ayu3ZAalY2LthMFYJVZirW9Y2UlRgZTkkMa5h2S+NLaVoAIaHkH/RcvP
	lukXeFgrEpg6QP8cLGfsHhKj9FwiCs9WaZyLsd8z1glFueZw9c+RJhiGRjfOdhNQNR88
	wR2g==
X-Gm-Message-State: 
 AMke39lRAtqwMAZYR2EreVDcv7fyUR4VFjSFah67PXtpAIMal2rl6RoygPrSWRpC6uCA3A==
X-Received: by 10.46.87.9 with SMTP id l9mr9627708ljb.109.1489409086795;
	Mon, 13 Mar 2017 05:44:46 -0700 (PDT)
Received: from xi.terra ([84.216.234.102]) by smtp.gmail.com with ESMTPSA id
	m127sm3575596lfg.58.2017.03.13.05.44.45
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 13 Mar 2017 05:44:45 -0700 (PDT)
Received: from johan by xi.terra with local (Exim 4.89)
	(envelope-from <johan@xi.terra>)
	id 1cnPL3-0007Rr-6Z; Mon, 13 Mar 2017 13:44:37 +0100
From: Johan Hovold <johan@kernel.org>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: QCA ath9k Development <ath9k-devel@qca.qualcomm.com>,
	Daniel Drake <dsd@gentoo.org>, Ulrich Kunitz <kune@deine-taler.de>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	Johan Hovold <johan@kernel.org>
Subject: [PATCH 2/2] wireless: zd1211rw: fix NULL-deref at probe
Date: Mon, 13 Mar 2017 13:44:21 +0100
Message-Id: <20170313124421.28587-2-johan@kernel.org>
X-Mailer: git-send-email 2.12.0
In-Reply-To: <20170313124421.28587-1-johan@kernel.org>
References: <20170313124421.28587-1-johan@kernel.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device
into WLAN device")
Cc: Daniel Drake <dsd@gentoo.org>

Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/net/wireless/zydas/zd1211rw/zd_usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
index c5effd6c6be9..01ca1d57b3d9 100644
--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
@@ -1278,6 +1278,9 @@ static int eject_installer(struct usb_interface *intf)
 	u8 bulk_out_ep;
 	int r;
 
+	if (iface_desc->desc.bNumEndpoints < 2)
+		return -ENODEV;
+
 	/* Find bulk out endpoint */
 	for (r = 1; r >= 0; r--) {
 		endpoint = &iface_desc->endpoint[r].desc;