| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20211025113944.4350-1-johan@kernel.org>
Date: Mon, 25 Oct 2021 13:39:44 +0200
From: Johan Hovold <johan@...nel.org>
To: Marcel Holtmann <marcel@...tmann.org>
Cc: Johan Hedberg <johan.hedberg@...il.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
linux-bluetooth@...r.kernel.org, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org, Johan Hovold <johan@...nel.org>,
stable@...r.kernel.org
Subject: [PATCH] Bluetooth: fix division by zero in send path
Add the missing bulk-out endpoint sanity check to probe() to avoid
division by zero in bfusb_send_frame() in case a malicious device has
broken descriptors (or when doing descriptor fuzz testing).
Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).
Cc: stable@...r.kernel.org
Signed-off-by: Johan Hovold <johan@...nel.org>
---
drivers/bluetooth/bfusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c
index 5a321b4076aa..df80fb324356 100644
--- a/drivers/bluetooth/bfusb.c
+++ b/drivers/bluetooth/bfusb.c
@@ -627,6 +627,8 @@ static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *i
data->bulk_in_ep = bulk_in_ep->desc.bEndpointAddress;
data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress;
data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize);
+ if (!data->bulk_pkt_size)
+ goto done;
rwlock_init(&data->lock);
--
2.32.0
Powered by blists - more mailing lists