summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Linares <dlinares.linux@gmail.com>2013-03-25 11:50:27 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-03-25 18:57:37 +0100
commit769d7368b1727b1b5369d88badf0cbdf0163e079 (patch)
tree29fabb4a85ce78d944ac28154b63c71f57ad4cdd
parentusbnet: smsc75xx: don't recover device if suspend fails in system sleep (diff)
downloadlinux-769d7368b1727b1b5369d88badf0cbdf0163e079.tar.xz
linux-769d7368b1727b1b5369d88badf0cbdf0163e079.zip
USB: hub: Avoid NULL pointer dereference when hub doesn't have any ports
Return an error if hub->descriptor->bNbrPorts==0. Without this additional check, we can end up doing a "hub->ports = kzalloc(0, GFP_KERNEL)". This hub->ports pointer will therefore be non-NULL and will be used. Example of dmesg: INIT: usb 1-1: New USB device found, idVendor=0424, idProduct=2512 usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 hub 1-1:1.0: USB hub found version 2.86 bootinghub 1-1:1.0: 0 ports detected Unable to handle kernel NULL pointer dereference at virtual address 00000010 Signed-off-by: David Linares <dlinares.linux@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/usb/core/hub.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 5480352f984d..781546269d26 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1317,6 +1317,10 @@ static int hub_configure(struct usb_hub *hub,
message = "hub has too many ports!";
ret = -ENODEV;
goto fail;
+ } else if (hub->descriptor->bNbrPorts == 0) {
+ message = "hub doesn't have any ports!";
+ ret = -ENODEV;
+ goto fail;
}
hdev->maxchild = hub->descriptor->bNbrPorts;