[PATCH 3/3] mwifiex: fix division by zero in fw download path

Johan Hovold <johan@xxxxxxxxxx> · Tue, 26 Oct 2021 11:52:14 +0200

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in mwifiex_write_data_sync() in case a malicious device
has broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 4daffe354366 ("mwifiex: add support for Marvell USB8797 chipset")
Cc: stable@xxxxxxxxxxxxxxx      # 3.5
Cc: Amitkumar Karwar <akarwar@xxxxxxxxxxx>
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
 drivers/net/wireless/marvell/mwifiex/usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
index 426e39d4ccf0..2826654907d9 100644
--- a/drivers/net/wireless/marvell/mwifiex/usb.c
+++ b/drivers/net/wireless/marvell/mwifiex/usb.c
@@ -502,6 +502,9 @@ static int mwifiex_usb_probe(struct usb_interface *intf,
 			atomic_set(&card->tx_cmd_urb_pending, 0);
 			card->bulk_out_maxpktsize =
 					le16_to_cpu(epd->wMaxPacketSize);
+			/* Reject broken descriptors. */
+			if (card->bulk_out_maxpktsize == 0)
+				return -ENODEV;
 		}
 	}
 
-- 
2.32.0







