From nobody Tue Feb 10 11:56:20 2026
Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com
 [209.85.219.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F3BED2E2EF9
	for <linux-kernel@vger.kernel.org>; Tue, 10 Feb 2026 02:43:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770691426; cv=none;
 b=UTegfd34KLxfMaiB+lk2omDDROQI+jQDphY2coXJdag6ExWsbcWAidUfUvQG2oxKDV51odAo/E3kknYc1lnuJVxy9LDo1vE5Tjbn559hpcBlGQeBtHwc4mt93jH72W5c1vVm86yHO4BhLEIdb8sL+GkURIHI7wvUu9l5mgFBq80=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770691426; c=relaxed/simple;
	bh=b4xPWImOTlDajhrUG7eXtH2aZH7I0nVFi0jycnY3IPE=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=WwlSovcgVQCEhRZHHzceanqfPIkMAg7Ol8GLXhbz7eGc+89zt7PKkX3xchZABQQAWFZvxjRxsUSbQLDY+tsv/mqvwrfDcQcJ5Hf/I1BsvmgqHcgQDx6aqGpopO8+uW1rfmw0LvwNML6uxDHyBND/m1PaSGAaXKFgUSz1KV2KY14=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu;
 spf=pass smtp.mailfrom=u.northwestern.edu;
 dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b=M3H0iwuL;
 arc=none smtp.client-ip=209.85.219.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b="M3H0iwuL"
Received: by mail-qv1-f54.google.com with SMTP id
 6a1803df08f44-8946e0884afso69413416d6.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 09 Feb 2026 18:43:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=u-northwestern-edu.20230601.gappssmtp.com; s=20230601; t=1770691424;
 x=1771296224; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=qvKGjQtrDpaNiZmMQcUWKgx5WOmlV0d55tFNLhvEBPw=;
        b=M3H0iwuL1syI+nG/M3a/AR6NS6HRLuuNbAF4IS61EgIGtMp0IgGqpzlqjR4JTctgl+
         Uab/E7KhfhAVk32VLZZTlavxezyGdpZbCvGVchQ7w6kyOAmEBiCzXFmcvTsFCNi5+Uf6
         1ZEulBwbljoUdjWob8AR8NUBX2RWifva3bWo1N8gC9VtA30fz0dSWcDT0NhP1MCL+Xwn
         8tyEPUQdg2OvpeWlEfxfstAFOD9VdEkXczHaqNIuJPOL+LIO1/dosZFU5w7aXZkIPp56
         MN1ckPE2H1U8n+TmwBOHUxK1jmUNzp1ehmfiGI+AxZRc00/VHNgezZP6zT+n95vprDS0
         yuzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770691424; x=1771296224;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qvKGjQtrDpaNiZmMQcUWKgx5WOmlV0d55tFNLhvEBPw=;
        b=iA9sreL+yyKON1sSHyl/oC3xJnFX3BJYGT5UKVhSgfv5oH8Om2SB0R7PpDWKgr7yiY
         ymS5czmRAisdwS4lSuSMnd4mSMTZ3AHV1Ifco9efPCF/1TrkXlr9lKN4/fgbQGoYjmI7
         M42F5a+XbZs4uxV5mRnlSx96QEc7QwqMHFHqn1ku1aYgZVbrnmrkh6gtu6ohbo0HRe4f
         3L4nIxHNpAUN2SaHi+CfPqaupHhZ8KHtUoMGo4ozMUt9gkE/+HXYsHT6ZR+cHh5S92kR
         PWvHWs7dU0RuifG3YXQIQzvBn2zphGahWRNLctnQLnMQmyDWhrJKYVadgLZmm5jb2NCf
         Em3A==
X-Forwarded-Encrypted: i=1;
 AJvYcCU4N6saO4bMDreFC3SkuoVd1qGlcGF9ymmt6asMGcJ4fcqDcAdGBXcQk2xSg10WvP+gjRBIhWqjX8NC8rM=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy0ewn0CeN6KHKnDXCxGDXGkc/dNQl3/VIgf3nmvo3Qvd3LkUZ2
	cL5oOJOicFxu1u3lhmvPFYIvXVY3/KElhII2g2GKujKu+s4vdJi81pjXxJWFGKJ9+Rw=
X-Gm-Gg: AZuq6aJQMTHTF39vJLtgoBpVh4N3bLOIJ2xMWwr+Wuwi606zLR4mR86W2qc3gu99ZuM
	jLi7SXglMjoURmzCX2gtbezxBImPavSgUr43dZszG3oveRFg/aS4I690WaxoGJjBEfsF7f/kd3v
	AYQm5zXSjXaLUoua8863ejDT+rQNXym6e/TqoGFNEBoP88DoR4nRDlX6BP73SRxiBvpXKvMyYTp
	Fqse3uj9d2JGZCPV5PfY3u0yeLTZNOGKOGeHxJgxtbCF3TU1XRPuyCFOiyFSlBHmObzORh6kfml
	Qh3kw4FEWG5JeoCXi/zvRJg4Ju7mWHwLg/MPLaMIVAydKmA3AZb9IlJBtNSowMWfkFgADxdnhx3
	ZBSSWCVHuWgdHgmqlyUvh37qJMBN6+ODXU95DBhVhKvp4e48yKAVurqYcrfMez1GwdIaNGhRWMV
	I6jjp+RyWdh/KBcJIrfUCPfOzvMD9XHpr6Pnt7EyjhuxD6ZI7CmraHnGEI1z517NUahmWXN6Gdu
	8HauTuQk40+XFoFvsbIbX76MuYDUzS84d1rN7Vumw0=
X-Received: by 2002:a05:6214:518c:b0:895:c06:8cbe with SMTP id
 6a1803df08f44-8953cfa19a3mr211943866d6.69.1770691424012;
        Mon, 09 Feb 2026 18:43:44 -0800 (PST)
Received: from security.cs.northwestern.edu (security.cs.northwestern.edu.
 [165.124.184.136])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8953bf5b2ddsm88416486d6.18.2026.02.09.18.43.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 09 Feb 2026 18:43:43 -0800 (PST)
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
To: Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: linux-usb@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Ziyi Guo <n7l8m4@u.northwestern.edu>
Subject: [PATCH net] net: usb: catc: enable basic endpoint checking
Date: Tue, 10 Feb 2026 02:43:41 +0000
Message-Id: <20260210024341.3216007-1-n7l8m4@u.northwestern.edu>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

catc_probe() fills three URBs with hardcoded endpoint pipes without
verifying the endpoint descriptors:

  - usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX
  - usb_rcvintpipe(usbdev, 2) for interrupt status

A malformed USB device can present these endpoints with transfer types
that differ from what the driver assumes.

Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls
after usb_set_interface() to verify endpoint types before use, rejecting
devices with mismatched descriptors at probe time.

Similar to
- commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")
which fixed the issue in rtl8150.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
---
 drivers/net/usb/catc.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/net/usb/catc.c b/drivers/net/usb/catc.c
index 6759388692f8..e92773cbf5f9 100644
--- a/drivers/net/usb/catc.c
+++ b/drivers/net/usb/catc.c
@@ -770,6 +770,13 @@ static int catc_probe(struct usb_interface *intf, cons=
t struct usb_device_id *id
 	struct net_device *netdev;
 	struct catc *catc;
 	u8 broadcast[ETH_ALEN];
+	static const u8 bulk_ep_addr[] =3D {
+		USB_DIR_OUT | 1,	/* EP 1 OUT (TX) */
+		USB_DIR_IN | 1,		/* EP 1 IN  (RX) */
+		0};
+	static const u8 int_ep_addr[] =3D {
+		USB_DIR_IN | 2,		/* EP 2 IN  (interrupt) */
+		0};
 	u8 *macbuf;
 	int pktsz, ret =3D -ENOMEM;
=20
@@ -784,6 +791,14 @@ static int catc_probe(struct usb_interface *intf, cons=
t struct usb_device_id *id
 		goto fail_mem;
 	}
=20
+	/* Verify that all required endpoints are present */
+	if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) ||
+	    !usb_check_int_endpoints(intf, int_ep_addr)) {
+		dev_err(dev, "Missing or invalid endpoints\n");
+		ret =3D -ENODEV;
+		goto fail_mem;
+	}
+
 	netdev =3D alloc_etherdev(sizeof(struct catc));
 	if (!netdev)
 		goto fail_mem;
--=20
2.34.1