mceusb: fix NULL-deref at probe

commit 03eb2a557ed552e920a0942b774aaf931596eec1 upstream.

Make sure to check for the required out endpoint to avoid dereferencing
a NULL-pointer in mce_request_packet should a malicious device lack such
an endpoint. Note that this path is hit during probe.

Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.2: using mce_dbg() instead of dev_dbg()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 60d3c1e..2fb6473 100644 (file)
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1301,8 +1301,8 @@ static int __devinit mceusb_dev_probe(struct usb_interface *intf,
                                "found\n");
                }
        }
-       if (ep_in == NULL) {
-               mce_dbg(&intf->dev, "inbound and/or endpoint not found\n");
+       if (!ep_in || !ep_out) {
+               mce_dbg(&intf->dev, "required endpoints not found\n");
                return -ENODEV;
        }