staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb()

commit fea22e159d51c766ba70473f473a0ec914cc7e92 upstream.

let's use usb_find_common_endpoints() to discover endpoints, it does all
necessary checks for type and xfer direction

remove memset() in hfa384x_create(), because we now assign endpoints in
prism2sta_probe_usb() and because create_wlan() uses kzalloc() to
allocate hfa384x struct before calling hfa384x_create()

Fixes: faaff9765664 ("staging: wlan-ng: properly check endpoint types")
Reported-and-tested-by: syzbot+22794221ab96b0bab53a@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=22794221ab96b0bab53a
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200804145614.104320-1-rkovhaev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
index fb1a76c4c9271fda2453a798fe57502a92aed210..292ebbce50dc8e5a2660c93e4409d027061aa812 100644 (file)
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -531,13 +531,8 @@ static void hfa384x_usb_defer(struct work_struct *data)
  */
 void hfa384x_create(struct hfa384x *hw, struct usb_device *usb)
 {
-       memset(hw, 0, sizeof(*hw));
        hw->usb = usb;
 
-       /* set up the endpoints */
-       hw->endp_in = usb_rcvbulkpipe(usb, 1);
-       hw->endp_out = usb_sndbulkpipe(usb, 2);
-
        /* Set up the waitq */
        init_waitqueue_head(&hw->cmdq);
 

diff --git a/drivers/staging/wlan-ng/prism2usb.c b/drivers/staging/wlan-ng/prism2usb.c
index 8d32b1603d10abd1630aad02b38588dcff82efd0..9eee72aff72335ec208469e2976d04b307449b29 100644 (file)
--- a/drivers/staging/wlan-ng/prism2usb.c
+++ b/drivers/staging/wlan-ng/prism2usb.c
@@ -61,23 +61,14 @@ static int prism2sta_probe_usb(struct usb_interface *interface,
                               const struct usb_device_id *id)
 {
        struct usb_device *dev;
-       const struct usb_endpoint_descriptor *epd;
-       const struct usb_host_interface *iface_desc = interface->cur_altsetting;
+       struct usb_endpoint_descriptor *bulk_in, *bulk_out;
+       struct usb_host_interface *iface_desc = interface->cur_altsetting;
        struct wlandevice *wlandev = NULL;
        struct hfa384x *hw = NULL;
        int result = 0;
 
-       if (iface_desc->desc.bNumEndpoints != 2) {
-               result = -ENODEV;
-               goto failed;
-       }
-
-       result = -EINVAL;
-       epd = &iface_desc->endpoint[1].desc;
-       if (!usb_endpoint_is_bulk_in(epd))
-               goto failed;
-       epd = &iface_desc->endpoint[2].desc;
-       if (!usb_endpoint_is_bulk_out(epd))
+       result = usb_find_common_endpoints(iface_desc, &bulk_in, &bulk_out, NULL, NULL);
+       if (result)
                goto failed;
 
        dev = interface_to_usbdev(interface);
@@ -96,6 +87,8 @@ static int prism2sta_probe_usb(struct usb_interface *interface,
        }
 
        /* Initialize the hw data */
+       hw->endp_in = usb_rcvbulkpipe(dev, bulk_in->bEndpointAddress);
+       hw->endp_out = usb_sndbulkpipe(dev, bulk_out->bEndpointAddress);
        hfa384x_create(hw, dev);
        hw->wlandev = wlandev;