diff options
author | Martin Pieuchot <mpi@cvs.openbsd.org> | 2016-09-02 09:20:01 +0000 |
---|---|---|
committer | Martin Pieuchot <mpi@cvs.openbsd.org> | 2016-09-02 09:20:01 +0000 |
commit | a26f38848adb662449cd85abc3e34f76fc550a0c (patch) | |
tree | 69153a2fcfad01355be5053d9c29e409ce8d562d /sys/dev | |
parent | fe7af4c9c3612ca0b09115f8d0312efa4fe61191 (diff) |
Prevent a NULL dereference, triggerable with a crafted configuration
descriptor with a bad type.
Found with umap2 and a facedancer21.
Diffstat (limited to 'sys/dev')
-rw-r--r-- | sys/dev/usb/usb_subr.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/dev/usb/usb_subr.c b/sys/dev/usb/usb_subr.c index 4495a49483b..422aa29374b 100644 --- a/sys/dev/usb/usb_subr.c +++ b/sys/dev/usb/usb_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: usb_subr.c,v 1.123 2016/05/23 11:31:12 mpi Exp $ */ +/* $OpenBSD: usb_subr.c,v 1.124 2016/09/02 09:20:00 mpi Exp $ */ /* $NetBSD: usb_subr.c,v 1.103 2003/01/10 11:19:13 augustss Exp $ */ /* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */ @@ -663,8 +663,10 @@ usbd_set_config_index(struct usbd_device *dev, int index, int msg) /* Get the short descriptor. */ err = usbd_get_desc(dev, UDESC_CONFIG, index, USB_CONFIG_DESCRIPTOR_SIZE, &cd); - if (err || cd.bDescriptorType != UDESC_CONFIG) + if (err) return (err); + if (cd.bDescriptorType != UDESC_CONFIG) + return (USBD_INVAL); len = UGETW(cd.wTotalLength); cdp = malloc(len, M_USB, M_NOWAIT); if (cdp == NULL) |