Re: [PATCH v2 3/3] mwifiex: fix division by zero in fw download path
From: Kalle Valo
Date: Thu Oct 28 2021 - 09:28:41 EST
Johan Hovold <johan@xxxxxxxxxx> wrote:
> Add the missing endpoint sanity checks to probe() to avoid division by
> zero in mwifiex_write_data_sync() in case a malicious device has broken
> descriptors (or when doing descriptor fuzz testing).
>
> Only add checks for the firmware-download boot stage, which require both
> command endpoints, for now. The driver looks like it will handle a
> missing endpoint during normal operation without oopsing, albeit not
> very gracefully as it will try to submit URBs to the default pipe and
> fail.
>
> Note that USB core will reject URBs submitted for endpoints with zero
> wMaxPacketSize but that drivers doing packet-size calculations still
> need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
> endpoint descriptors with maxpacket=0")).
>
> Fixes: 4daffe354366 ("mwifiex: add support for Marvell USB8797 chipset")
> Cc: stable@xxxxxxxxxxxxxxx # 3.5
> Cc: Amitkumar Karwar <akarwar@xxxxxxxxxxx>
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> Reviewed-by: Brian Norris <briannorris@xxxxxxxxxxxx>
Patch applied to wireless-drivers-next.git, thanks.
89f8765a11d8 mwifiex: fix division by zero in fw download path
--
https://patchwork.kernel.org/project/linux-wireless/patch/20211027080819.6675-4-johan@xxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches