ath10k: fix division by zero in send path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in ath10k_usb_hif_tx_sg() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 4db66499df91 ("ath10k: add initial USB support")
Cc: stable@vger.kernel.org # 4.14
Cc: Erik Stromdahl <erik.stromdahl@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211027080819.6675-2-johan@kernel.org

authored by

Johan Hovold and committed by

Kalle Valo 4 years ago a006acb9 a066d28a

1 changed file

expand all

drivers

net

wireless

ath

ath10k

usb.c

drivers/net/wireless/ath/ath10k/usb.c

··· 853 853 le16_to_cpu(endpoint->wMaxPacketSize), 854 854 endpoint->bInterval); 855 855 } 856 + 857 + /* Ignore broken descriptors. */ 858 + if (usb_endpoint_maxp(endpoint) == 0) 859 + continue; 860 + 856 861 urbcount = 0; 857 862 858 863 pipe_num =