As syzkaller detected, wlan-ng driver submits bulk urb without checking that the endpoint type is actually bulk, add usb_urb_ep_type_check() Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723 Signed-off-by: Rustam Kovhaev <rkovhaev@xxxxxxxxx> --- drivers/staging/wlan-ng/hfa384x_usb.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c index fa1bf8b069fd..7cde60ea68a2 100644 --- a/drivers/staging/wlan-ng/hfa384x_usb.c +++ b/drivers/staging/wlan-ng/hfa384x_usb.c @@ -339,6 +339,12 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags) hw->rx_urb_skb = skb; + result = usb_urb_ep_type_check(&hw->rx_urb); + if (result) { + netdev_warn(hw->wlandev->netdev, "invalid rx endpoint"); + goto cleanup; + } + result = -ENOLINK; if (!hw->wlandev->hwremoved && !test_bit(WORK_RX_HALT, &hw->usb_flags)) { @@ -354,6 +360,7 @@ static int submit_rx_urb(struct hfa384x *hw, gfp_t memflags) } } +cleanup: /* Don't leak memory if anything should go wrong */ if (result != 0) { dev_kfree_skb(skb); @@ -388,6 +395,12 @@ static int submit_tx_urb(struct hfa384x *hw, struct urb *tx_urb, gfp_t memflags) struct net_device *netdev = hw->wlandev->netdev; int result; + result = usb_urb_ep_type_check(&hw->tx_urb); + if (result) { + netdev_warn(hw->wlandev->netdev, "invalid tx endpoint"); + goto done; + } + result = -ENOLINK; if (netif_running(netdev)) { if (!hw->wlandev->hwremoved && @@ -407,6 +420,7 @@ static int submit_tx_urb(struct hfa384x *hw, struct urb *tx_urb, gfp_t memflags) } } +done: return result; } -- 2.27.0 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel