From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Fedor Pchelkin <pchelkin@ispras.ru>, Kalle Valo <kvalo@kernel.org>
Cc: Fedor Pchelkin <pchelkin@ispras.ru>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Takeshi Misawa <jeliantsurux@gmail.com>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
lvc-project@linuxtesting.org,
syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com
Subject: Re: [PATCH] wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
Date: Mon, 15 May 2023 14:15:37 +0200 [thread overview]
Message-ID: <87r0rhdc46.fsf@toke.dk> (raw)
In-Reply-To: <20230513214146.120963-1-pchelkin@ispras.ru>
Fedor Pchelkin <pchelkin@ispras.ru> writes:
> A bad USB device is able to construct a service connection response
> message with target endpoint being ENDPOINT0 which is reserved for
> HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
> services.
>
> Reject such service connection responses.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> ---
> drivers/net/wireless/ath/ath9k/htc_hst.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
> index fe62ff668f75..a15d8d80df87 100644
> --- a/drivers/net/wireless/ath/ath9k/htc_hst.c
> +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
> @@ -114,7 +114,7 @@ static void htc_process_conn_rsp(struct htc_target *target,
>
> if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) {
> epid = svc_rspmsg->endpoint_id;
> - if (epid < 0 || epid >= ENDPOINT_MAX)
> + if (epid <= 0 || epid >= ENDPOINT_MAX)
> return;
Hmm, I think we should use the ENDPOINT0 constant here, then, and maybe
add a comment above explaining that it's reserved?
-Toke
next prev parent reply other threads:[~2023-05-15 12:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-13 21:41 [PATCH] wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes Fedor Pchelkin
2023-05-15 12:15 ` Toke Høiland-Jørgensen [this message]
2023-05-16 15:04 ` [PATCH v2] " Fedor Pchelkin
2023-05-16 19:47 ` Toke Høiland-Jørgensen
2023-05-25 17:04 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r0rhdc46.fsf@toke.dk \
--to=toke@toke.dk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jeliantsurux@gmail.com \
--cc=khoroshilov@ispras.ru \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pchelkin@ispras.ru \
--cc=syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.