ath6kl: fix division by zero in send path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in ath10k_usb_hif_tx_sg() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 9cbee358687e ("ath6kl: add full USB support")
Cc: stable@vger.kernel.org # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211027080819.6675-3-johan@kernel.org

authored by

Johan Hovold and committed by

Kalle Valo 4 years ago c1b9ca36 a006acb9

1 changed file

expand all

drivers

net

wireless

ath

ath6kl

usb.c

drivers/net/wireless/ath/ath6kl/usb.c

··· 340 340 le16_to_cpu(endpoint->wMaxPacketSize), 341 341 endpoint->bInterval); 342 342 } 343 + 344 + /* Ignore broken descriptors. */ 345 + if (usb_endpoint_maxp(endpoint) == 0) 346 + continue; 347 + 343 348 urbcount = 0; 344 349 345 350 pipe_num =