please test oob in htc_issue_send
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..0d1115d1cc29 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -295,6 +295,9 @@ int htc_connect_service(struct htc_target *target,
}
*conn_rsp_epid = target->conn_rsp_epid;
+ if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX)
+ return -EINVAL;
+
return 0;
err:
kfree_skb(skb);
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: a788e53c usb: usb-acpi: Fix oops due to freeing uninit..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=17b25385180000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd8c589043bc2b49
dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=103eb1be180000
Note: testing is done by a robot and is best-effort only.