go7007: add sanity checking for endpoints

A malicious USB device may lack endpoints the driver assumes to exist
Accessing them leads to NULL pointer accesses. This patch introduces
sanity checking.

Reported-and-tested-by: syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver")
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
index f889c9d..dbf0455 100644 (file)
--- a/drivers/media/usb/go7007/go7007-usb.c
+++ b/drivers/media/usb/go7007/go7007-usb.c
@@ -1132,6 +1132,10 @@ static int go7007_usb_probe(struct usb_interface *intf,
                go->hpi_ops = &go7007_usb_onboard_hpi_ops;
        go->hpi_context = usb;
 
+       ep = usb->usbdev->ep_in[4];
+       if (!ep)
+               return -ENODEV;
+
        /* Allocate the URB and buffer for receiving incoming interrupts */
        usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL);
        if (usb->intr_urb == NULL)
@@ -1141,7 +1145,6 @@ static int go7007_usb_probe(struct usb_interface *intf,
        if (usb->intr_urb->transfer_buffer == NULL)
                goto allocfail;
 
-       ep = usb->usbdev->ep_in[4];
        if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
                usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
                        usb_rcvbulkpipe(usb->usbdev, 4),
@@ -1263,9 +1266,13 @@ static int go7007_usb_probe(struct usb_interface *intf,
 
        /* Allocate the URBs and buffers for receiving the video stream */
        if (board->flags & GO7007_USB_EZUSB) {
+               if (!usb->usbdev->ep_in[6])
+                       goto allocfail;
                v_urb_len = 1024;
                video_pipe = usb_rcvbulkpipe(usb->usbdev, 6);
        } else {
+               if (!usb->usbdev->ep_in[1])
+                       goto allocfail;
                v_urb_len = 512;
                video_pipe = usb_rcvbulkpipe(usb->usbdev, 1);
        }
@@ -1285,6 +1292,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
        /* Allocate the URBs and buffers for receiving the audio stream */
        if ((board->flags & GO7007_USB_EZUSB) &&
            (board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) {
+               if (!usb->usbdev->ep_in[8])
+                       goto allocfail;
                for (i = 0; i < 8; ++i) {
                        usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL);
                        if (usb->audio_urbs[i] == NULL)