[PATCH] usbvision fix overflow of interfaces array

Oliver Neukum Tue, 27 Oct 2015 04:54:07 -0700

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.


Signed-off-by: Oliver Neukum <oneu...@suse.com>
---
 drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c 
b/drivers/media/usb/usbvision/usbvision-video.c
index b693206..ad33d99 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_interface *intf,
        printk(KERN_INFO "%s: %s found\n", __func__,
                                usbvision_device_data[model].model_string);
 
+       /*
+        * this is a security check.
+        * an exploit using an incorrect bInterfaceNumber is known
+        */
+       if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+               return -ENODEV;
+
        if (usbvision_device_data[model].interface >= 0)
                interface = 
&dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
        else
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] usbvision fix overflow of interfaces array

Reply via email to