USB: cypress_m8: add endpoint sanity check

An attack using missing endpoints exists.

CVE-2016-3137

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 5 insertions, 6 deletions

diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index b283eb8b86d6..bbeeb2bd55a8 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
         struct usb_serial *serial = port->serial;
         struct cypress_private *priv;
 
+        if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+                dev_err(&port->dev, "required endpoint is missing\n");
+                return -ENODEV;
+        }
+
         priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
         if (!priv)
                 return -ENOMEM;
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
                 cypress_set_termios(tty, port, &priv->tmp_termios);
 
         /* setup the port and start reading from the device */
-        if (!port->interrupt_in_urb) {
-                dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
-                        __func__);
-                return -1;
-        }
-
         usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
                 usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
                 port->interrupt_in_urb->transfer_buffer,