diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index c6bfd13..1950e87 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
iface_desc = interface->cur_altsetting;
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ if (iface_desc->desc.bNumEndpoints < 1) {
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
+ retval = -EINVAL;
+ goto error;
+ }
+
/* set up the endpoint information */
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
Linux kernel before 4.5.1 っていうんだから、4.5.1 含…むのか含まないのか。確認。あ、含まれてた。4.5.1-1で直ってる、ということで。
https://security-tracker.debian.org/tracker/source-package/linux は後で更新…。→した。
From kernel-sec triaging: the above commits only handles the case where there are zero endpoints, but not the case where there are some endpoints but none of the expected type. So this is not really fixed anywhere yet.
ということでrevertされた。あらら。