From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Oliver Neukum , Vasily Galkin , "David S. Miller" Subject: [PATCH 4.4 082/137] cdc-acm: fix NULL pointer reference Date: Mon, 18 Apr 2016 11:29:04 +0900 Message-Id: <20160418022512.638422360@linuxfoundation.org> In-Reply-To: <20160418022507.236379264@linuxfoundation.org> References: <20160418022507.236379264@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Sender: linux-kernel-owner@vger.kernel.org List-ID: 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Oliver Neukum commit 29c6dd591bbd592472247441de9fa694acdabae8 upstream. The union descriptor must be checked. Its usage was conditional before the parser was introduced. This is important, because many RNDIS device, which also use the common parser, have bogus extra descriptors. Signed-off-by: Oliver Neukum Tested-by: Vasily Galkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/usb/cdc_ether.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/net/usb/cdc_ether.c +++ b/drivers/net/usb/cdc_ether.c @@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbne info->u = header.usb_cdc_union_desc; info->header = header.usb_cdc_header_desc; info->ether = header.usb_cdc_ether_desc; + if (!info->u) { + if (rndis) + goto skip; + else /* in that case a quirk is mandatory */ + goto bad_desc; + } /* we need a master/control interface (what we're * probed with) and a slave/data interface; union * descriptors sort this all out. @@ -256,7 +262,7 @@ skip: goto bad_desc; } - } else if (!info->header || !info->u || (!rndis && !info->ether)) { + } else if (!info->header || (!rndis && !info->ether)) { dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n", info->header ? "" : "header ", info->u ? "" : "union ",