Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send
From: Edward Adam Davis
Date: Wed Mar 20 2024 - 22:39:32 EST
please test oob in htc_issue_send
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..9edc72601bf2 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -295,6 +295,10 @@ int htc_connect_service(struct htc_target *target,
}
*conn_rsp_epid = target->conn_rsp_epid;
+ if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX) {
+ ret = -EINVAL;
+ goto err;
+ }
return 0;
err:
kfree_skb(skb);