diff options
| author | Johan Hovold <johan@kernel.org> | 2021-10-25 14:39:44 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-01-16 11:15:38 +0300 |
| commit | ed5c2683b67b1762c60cc9afc089edc53a5f816d (patch) | |
| tree | 65e8591f7fb018b3f92a3ba31822d7991dd5d290 /drivers/bluetooth | |
| parent | 784e873af3dc69b61c80f0ce7d99bb7a1bdc3100 (diff) | |
| download | linux-ed5c2683b67b1762c60cc9afc089edc53a5f816d.tar.xz | |
Bluetooth: bfusb: fix division by zero in send path
commit b5e6fa7a12572c82f1e7f2f51fbb02a322291291 upstream.
Add the missing bulk-out endpoint sanity check to probe() to avoid
division by zero in bfusb_send_frame() in case a malicious device has
broken descriptors (or when doing descriptor fuzz testing).
Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/bluetooth')
| -rw-r--r-- | drivers/bluetooth/bfusb.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/bluetooth/bfusb.c b/drivers/bluetooth/bfusb.c index 0e5954cac98e..00d72f6d8e8e 100644 --- a/drivers/bluetooth/bfusb.c +++ b/drivers/bluetooth/bfusb.c @@ -629,6 +629,9 @@ static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *i data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); + if (!data->bulk_pkt_size) + goto done; + rwlock_init(&data->lock); data->reassembly = NULL; |