media: stv06xx: add missing descriptor sanity checks

commit 485b06aadb933190f4bc44e006076bc27a23f205 upstream.

Make sure to check that we have two alternate settings and at least one
endpoint before accessing the second altsetting structure and
dereferencing the endpoint arrays.

This specifically avoids dereferencing NULL-pointers or corrupting
memory when a device does not have the expected descriptors.

Note that the sanity checks in stv06xx_start() and pb0100_start() are
not redundant as the driver is mixing looking up altsettings by index
and by number, which may not coincide.

Fixes: 8668d504d72c ("V4L/DVB (12082): gspca_stv06xx: Add support for st6422 bridge and sensor")
Fixes: c0b33bdc5b8d ("[media] gspca-stv06xx: support bandwidth changing")
Cc: stable <stable@vger.kernel.org>     # 2.6.31
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
index e72c3e1ab9ff41f0a39d685d4615a8bd3cb06914..9caa5ef9d9e08f1b2bbe9ec9390119355c6e2150 100644 (file)
--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
@@ -289,6 +289,9 @@ static int stv06xx_start(struct gspca_dev *gspca_dev)
                return -EIO;
        }
 
+       if (alt->desc.bNumEndpoints < 1)
+               return -ENODEV;
+
        packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
        err = stv06xx_write_bridge(sd, STV_ISO_SIZE_L, packet_size);
        if (err < 0)
@@ -313,11 +316,21 @@ out:
 
 static int stv06xx_isoc_init(struct gspca_dev *gspca_dev)
 {
+       struct usb_interface_cache *intfc;
        struct usb_host_interface *alt;
        struct sd *sd = (struct sd *) gspca_dev;
 
+       intfc = gspca_dev->dev->actconfig->intf_cache[0];
+
+       if (intfc->num_altsetting < 2)
+               return -ENODEV;
+
+       alt = &intfc->altsetting[1];
+
+       if (alt->desc.bNumEndpoints < 1)
+               return -ENODEV;
+
        /* Start isoc bandwidth "negotiation" at max isoc bandwidth */
-       alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
        alt->endpoint[0].desc.wMaxPacketSize =
                cpu_to_le16(sd->sensor->max_packet_size[gspca_dev->curr_mode]);
 
@@ -330,6 +343,10 @@ static int stv06xx_isoc_nego(struct gspca_dev *gspca_dev)
        struct usb_host_interface *alt;
        struct sd *sd = (struct sd *) gspca_dev;
 
+       /*
+        * Existence of altsetting and endpoint was verified in
+        * stv06xx_isoc_init()
+        */
        alt = &gspca_dev->dev->actconfig->intf_cache[0]->altsetting[1];
        packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
        min_packet_size = sd->sensor->min_packet_size[gspca_dev->curr_mode];

diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
index e1ce96e9405f5ed89a23c5c0a59a7b5290b5cd93..8d855b2756ba0647db08d4eb6b3ecf4f4b840bf8 100644 (file)
--- a/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
@@ -194,6 +194,10 @@ static int pb0100_start(struct sd *sd)
        alt = usb_altnum_to_altsetting(intf, sd->gspca_dev.alt);
        if (!alt)
                return -ENODEV;
+
+       if (alt->desc.bNumEndpoints < 1)
+               return -ENODEV;
+
        packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
 
        /* If we don't have enough bandwidth use a lower framerate */