diff options
| author | David Linares <dlinares.linux@gmail.com> | 2013-03-25 06:50:27 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-25 13:57:37 -0400 |
| commit | 769d7368b1727b1b5369d88badf0cbdf0163e079 (patch) | |
| tree | 29fabb4a85ce78d944ac28154b63c71f57ad4cdd | |
| parent | 5410a473fb7a466020af31e8b400c2d14ed94925 (diff) | |
USB: hub: Avoid NULL pointer dereference when hub doesn't have any ports
Return an error if hub->descriptor->bNbrPorts==0. Without this additional
check, we can end up doing a "hub->ports = kzalloc(0, GFP_KERNEL)".
This hub->ports pointer will therefore be non-NULL and will be used.
Example of dmesg:
INIT: usb 1-1: New USB device found, idVendor=0424, idProduct=2512
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
hub 1-1:1.0: USB hub found
version 2.86 bootinghub 1-1:1.0: 0 ports detected
Unable to handle kernel NULL pointer dereference at virtual address 00000010
Signed-off-by: David Linares <dlinares.linux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/usb/core/hub.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 5480352f984d..781546269d26 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c | |||
| @@ -1317,6 +1317,10 @@ static int hub_configure(struct usb_hub *hub, | |||
| 1317 | message = "hub has too many ports!"; | 1317 | message = "hub has too many ports!"; |
| 1318 | ret = -ENODEV; | 1318 | ret = -ENODEV; |
| 1319 | goto fail; | 1319 | goto fail; |
| 1320 | } else if (hub->descriptor->bNbrPorts == 0) { | ||
| 1321 | message = "hub doesn't have any ports!"; | ||
| 1322 | ret = -ENODEV; | ||
| 1323 | goto fail; | ||
| 1320 | } | 1324 | } |
| 1321 | 1325 | ||
| 1322 | hdev->maxchild = hub->descriptor->bNbrPorts; | 1326 | hdev->maxchild = hub->descriptor->bNbrPorts; |