From f9224757a08b7f55ad73554d75ddb8f6c27131ee Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 17 Feb 2016 11:25:37 +0100
Subject: [PATCH] Fix CVE-2016-2392

usb: check USB configuration descriptor object
---
 ...check-USB-configuration-descriptor-object.patch | 33 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch

diff --git a/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch b/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
new file mode 100644
index 0000000..6616649
--- /dev/null
+++ b/debian/patches/extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
@@ -0,0 +1,33 @@
+From f979659e509e9d6da5cd3d74c459b944e131ce73 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 11 Feb 2016 16:31:20 +0530
+Subject: [PATCH] usb: check USB configuration descriptor object
+
+When processing remote NDIS control message packets, the USB Net
+device emulator checks to see if the USB configuration descriptor
+object is of RNDIS type(2). But it does not check if it is null,
+which leads to a null dereference error. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/usb/dev-network.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 7800cee..8a4ff49 100644
+--- a/hw/usb/dev-network.c
++++ b/hw/usb/dev-network.c
+@@ -653,7 +653,8 @@ typedef struct USBNetState {
+ 
+ static int is_rndis(USBNetState *s)
+ {
+-    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
++    return s->dev.config ?
++            s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
+ }
+ 
+ static int ndis_query(USBNetState *s, uint32_t oid,
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 47b2b01..ffc09f1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,3 +52,4 @@ extra/CVE-2016-1981-e1000-eliminate-infinite-loop.patch
 extra/CVE-2016-2197-ahci-null-pointer.patch
 extra/CVE-2016-2198-ehci-null-pointer.patch
 extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
+extra/CVE-2016-2392-check-USB-configuration-descriptor-object.patch
-- 
2.11.4.GIT