On 22/04/14 11:12PM, Pavel Skripkin wrote:
> Hi Wang,
>
> On 4/14/22 17:12, Wang Cheng wrote:
> > Due to the case that "requesttype == 0x01 && status <= 0"
> > isn't handled in r8712_usbctrl_vendorreq(),
> > "data" (drivers/staging/rtl8712/usb_ops.c:32)
> > will be returned without initialization.
> >
> > When "tmpU1b" (drivers/staging/rtl8712/usb_intf.c:395)
> > is 0, mac[6] (usb_intf.c:394) won't be initialized,
> > which leads to accessing uninit-value on usb_intf.c:541.
> >
> > Reported-and-tested-by: syzbot+6f5ecd144854c0d8580b@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Signed-off-by: Wang Cheng <wanngchenng@xxxxxxxxx>
>
> This patch will just hide the problematic API in that driver. Correct fix is
> changing usb_control_msg to usb_control_msg_{recv,send}.
>
> IIRC this driver does not want read various length requests, so it should be
> fine
Hi Pavel, thx for your review.
Sorry, this patch is just confined to fixing uninit-values with
modifying the original code as less as possible. It sounds good to
refactor r8712_usbctrl_vendorreq() with better API.
thanks,
-- w
>
>
>
>
> With regards,
> Pavel Skripkin
