| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_59F76EFB4C8B67EA86DA92C5065949996E06@qq.com>
Date: Tue, 27 Aug 2024 06:51:09 +0800
From: Edward Adam Davis <eadavis@...com>
To: kvalo@...nel.org
Cc: eadavis@...com,
gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org,
linux-wireless@...r.kernel.org,
netdev@...r.kernel.org,
syzbot+92c6dd14aaa230be6855@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: [PATCH V6 2/2] wifi: ath6kl: remove ath6kl_usb_submit_ctrl_in
ath6kl_usb_submit_ctrl_in() did not take into account the situation where
the length of the data read from the device is not equal to the len, and
such missing judgments will result in subsequent code using incorrect data.
usb_control_msg_recv() handles the abnormal length of the returned data,
so using it directly.
Note: Compile tested only, not tested on hardware, only tested on QEMU.
Suggested-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
drivers/net/wireless/ath/ath6kl/usb.c | 39 +++------------------------
1 file changed, 3 insertions(+), 36 deletions(-)
diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c
index 0458b5a078e1..1a5fb2561fef 100644
--- a/drivers/net/wireless/ath/ath6kl/usb.c
+++ b/drivers/net/wireless/ath/ath6kl/usb.c
@@ -901,40 +901,6 @@ static int ath6kl_usb_submit_ctrl_out(struct ath6kl_usb *ar_usb,
return 0;
}
-static int ath6kl_usb_submit_ctrl_in(struct ath6kl_usb *ar_usb,
- u8 req, u16 value, u16 index, void *data,
- u32 size)
-{
- u8 *buf = NULL;
- int ret;
-
- if (size > 0) {
- buf = kmalloc(size, GFP_KERNEL);
- if (buf == NULL)
- return -ENOMEM;
- }
-
- /* note: if successful returns number of bytes transfered */
- ret = usb_control_msg(ar_usb->udev,
- usb_rcvctrlpipe(ar_usb->udev, 0),
- req,
- USB_DIR_IN | USB_TYPE_VENDOR |
- USB_RECIP_DEVICE, value, index, buf,
- size, 2000);
-
- if (ret < 0) {
- ath6kl_warn("Failed to read usb control message: %d\n", ret);
- kfree(buf);
- return ret;
- }
-
- memcpy((u8 *) data, buf, size);
-
- kfree(buf);
-
- return 0;
-}
-
static int ath6kl_usb_ctrl_msg_exchange(struct ath6kl_usb *ar_usb,
u8 req_val, u8 *req_buf, u32 req_len,
u8 resp_val, u8 *resp_buf, u32 *resp_len)
@@ -954,8 +920,9 @@ static int ath6kl_usb_ctrl_msg_exchange(struct ath6kl_usb *ar_usb,
}
/* get response */
- ret = ath6kl_usb_submit_ctrl_in(ar_usb, resp_val, 0, 0,
- resp_buf, *resp_len);
+ ret = usb_control_msg_recv(ar_usb->udev, 0, resp_val,
+ USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, 0, resp_buf, *resp_len, 2000, GFP_KERNEL);
return ret;
}
--
2.43.0
Powered by blists - more mailing lists