Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send

From: Edward Adam Davis
Date: Wed Mar 20 2024 - 23:19:01 EST

Next message: Jakub Kicinski: "Re: [PATCH v2] lib/bitmap: Fix bitmap_scatter() and bitmap_gather() kernel doc"
Previous message: Matthew Wilcox: "Re: [PATCH v2] mm/page-flags: make PageMappingFlags return bool"
In reply to: syzbot: "Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send"
Next in thread: syzbot: "Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

please test oob in htc_issue_send

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..0d1115d1cc29 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -295,6 +295,9 @@ int htc_connect_service(struct htc_target *target,
}

*conn_rsp_epid = target->conn_rsp_epid;
+ if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX)
+ return -EINVAL;
+
return 0;
err:
kfree_skb(skb);

Next message: Jakub Kicinski: "Re: [PATCH v2] lib/bitmap: Fix bitmap_scatter() and bitmap_gather() kernel doc"
Previous message: Matthew Wilcox: "Re: [PATCH v2] mm/page-flags: make PageMappingFlags return bool"
In reply to: syzbot: "Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send"
Next in thread: syzbot: "Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]