[src/trunk]: src/sys/dev/usb umidi(4): Bail early if no endpoints.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/32f35bfc32e0
branches:  trunk
changeset: 363512:32f35bfc32e0
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Mon Mar 14 16:14:11 2022 +0000

description:
umidi(4): Bail early if no endpoints.

kmem_alloc is unhappy with zero-size allocation.

Reported-by: syzbot+483b984480c295979391%syzkaller.appspotmail.com@localhost

diffstat:

 sys/dev/usb/umidi.c |  8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diffs (36 lines):

diff -r e4a1f95cc8cf -r 32f35bfc32e0 sys/dev/usb/umidi.c
--- a/sys/dev/usb/umidi.c       Mon Mar 14 12:22:02 2022 +0000
+++ b/sys/dev/usb/umidi.c       Mon Mar 14 16:14:11 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: umidi.c,v 1.84 2021/08/08 20:50:12 andvar Exp $        */
+/*     $NetBSD: umidi.c,v 1.85 2022/03/14 16:14:11 riastradh Exp $     */
 
 /*
  * Copyright (c) 2001, 2012, 2014 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: umidi.c,v 1.84 2021/08/08 20:50:12 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: umidi.c,v 1.85 2022/03/14 16:14:11 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -778,6 +778,8 @@
 
        fp = umidi_get_quirk_data_from_type(sc->sc_quirk,
                                            UMQ_TYPE_FIXED_EP);
+       if (fp->num_in_ep == 0 && fp->num_out_ep == 0)
+               return USBD_INVAL;
        sc->sc_out_num_jacks = 0;
        sc->sc_in_num_jacks = 0;
        sc->sc_out_num_endpoints = fp->num_out_ep;
@@ -934,6 +936,8 @@
                sc->sc_in_num_jacks = 0;
        }
        sc->sc_endpoints_len = UMIDI_ENDPOINT_SIZE(sc);
+       if (sc->sc_endpoints_len == 0)
+               return USBD_INVAL;
        sc->sc_endpoints = kmem_zalloc(sc->sc_endpoints_len, KM_SLEEP);
        if (sc->sc_out_num_endpoints) {
                sc->sc_out_ep = sc->sc_endpoints;