Skip to content

Commit

Permalink
usb: gadget: f_fs: fix NULL pointer dereference when there are no str…
Browse files Browse the repository at this point in the history 
…ings

If the descriptors do not need any strings and user space sends empty
set of strings, the ffs->stringtabs field remains NULL.  Thus
*ffs->stringtabs in functionfs_bind leads to a NULL pointer
dereferenece.

The bug was introduced by commit [fd7c9a0: “use usb_string_ids_n()”].

While at it, remove double initialisation of lang local variable in
that function.

ffs->strings_count does not need to be checked in any way since in
the above scenario it will remain zero and usb_string_ids_n() is
a no-operation when colled with 0 argument.

Cc: <stable@vger.kernel.org>  # v2.6.36+
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
  • Loading branch information
Michal Nazarewicz authored and Felipe Balbi committed Jun 19, 2014
1 parent 82363cf commit f0688c8
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions drivers/usb/gadget/f_fs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1483,11 +1483,13 @@ static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
ffs->ep0req->context = ffs;

lang = ffs->stringtabs;
for (lang = ffs->stringtabs; *lang; ++lang) {
struct usb_string *str = (*lang)->strings;
int id = first_id;
for (; str->s; ++id, ++str)
str->id = id;
if (lang) {
for (; *lang; ++lang) {
struct usb_string *str = (*lang)->strings;
int id = first_id;
for (; str->s; ++id, ++str)
str->id = id;
}
}

ffs->gadget = cdev->gadget;
Expand Down

0 comments on commit f0688c8

Please sign in to comment.