Minsuk Kang <[email protected]> writes:
> Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
> occurs when txs->cnt, data from a URB provided by a USB device, is
> bigger than the size of the array txs->txstatus, which is
> HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
> handling code after the check. Make the function return if that is the
> case.
>
> Found by a modified version of syzkaller.
>
> UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
> index 13 is out of range for type '__wmi_event_txstatus [12]'
> Call Trace:
> ath9k_htc_txstatus
> ath9k_wmi_event_tasklet
> tasklet_action_common
> __do_softirq
> irq_exit_rxu
> sysvec_apic_timer_interrupt
>
> Signed-off-by: Minsuk Kang <[email protected]>
Acked-by: Toke Høiland-Jørgensen <[email protected]>