summaryrefslogtreecommitdiff
path: root/sys/dev
diff options
context:
space:
mode:
authorMartin Pieuchot <mpi@cvs.openbsd.org>2016-09-02 09:20:01 +0000
committerMartin Pieuchot <mpi@cvs.openbsd.org>2016-09-02 09:20:01 +0000
commita26f38848adb662449cd85abc3e34f76fc550a0c (patch)
tree69153a2fcfad01355be5053d9c29e409ce8d562d /sys/dev
parentfe7af4c9c3612ca0b09115f8d0312efa4fe61191 (diff)
Prevent a NULL dereference, triggerable with a crafted configuration
descriptor with a bad type. Found with umap2 and a facedancer21.
Diffstat (limited to 'sys/dev')
-rw-r--r--sys/dev/usb/usb_subr.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/dev/usb/usb_subr.c b/sys/dev/usb/usb_subr.c
index 4495a49483b..422aa29374b 100644
--- a/sys/dev/usb/usb_subr.c
+++ b/sys/dev/usb/usb_subr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: usb_subr.c,v 1.123 2016/05/23 11:31:12 mpi Exp $ */
+/* $OpenBSD: usb_subr.c,v 1.124 2016/09/02 09:20:00 mpi Exp $ */
/* $NetBSD: usb_subr.c,v 1.103 2003/01/10 11:19:13 augustss Exp $ */
/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
@@ -663,8 +663,10 @@ usbd_set_config_index(struct usbd_device *dev, int index, int msg)
/* Get the short descriptor. */
err = usbd_get_desc(dev, UDESC_CONFIG, index,
USB_CONFIG_DESCRIPTOR_SIZE, &cd);
- if (err || cd.bDescriptorType != UDESC_CONFIG)
+ if (err)
return (err);
+ if (cd.bDescriptorType != UDESC_CONFIG)
+ return (USBD_INVAL);
len = UGETW(cd.wTotalLength);
cdp = malloc(len, M_USB, M_NOWAIT);
if (cdp == NULL)