USB: hub: Avoid NULL pointer dereference when hub doesn't have any ports

Return an error if hub->descriptor->bNbrPorts==0. Without this additional
check, we can end up doing a "hub->ports = kzalloc(0, GFP_KERNEL)".
This hub->ports pointer will therefore be non-NULL and will be used.
Example of dmesg:
   INIT: usb 1-1: New USB device found, idVendor=0424, idProduct=2512
   usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
   hub 1-1:1.0: USB hub found
   version 2.86 bootinghub 1-1:1.0: 0 ports detected
   Unable to handle kernel NULL pointer dereference at virtual address 00000010

Signed-off-by: David Linares <dlinares.linux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 5480352f984dc2df418902a430979c828cb5df52..781546269d269e4b8d60ee8117d1db4d173517d3 100644 (file)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1317,6 +1317,10 @@ static int hub_configure(struct usb_hub *hub,
                message = "hub has too many ports!";
                ret = -ENODEV;
                goto fail;
+       } else if (hub->descriptor->bNbrPorts == 0) {
+               message = "hub doesn't have any ports!";
+               ret = -ENODEV;
+               goto fail;
        }
 
        hdev->maxchild = hub->descriptor->bNbrPorts;