wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes

jira VULN-154355
cve CVE-2023-53185
commit-author Fedor Pchelkin <pchelkin@ispras.ru>
commit 061b0cb

A bad USB device is able to construct a service connection response
message with target endpoint being ENDPOINT0 which is reserved for
HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
services.

Reject such service connection responses.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: fb9987d ("ath9k_htc: Support for AR9271 chipset.")
	Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com
	Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
	Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
	Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru
(cherry picked from commit 061b0cb)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

drivers/net/wireless/ath/ath9k/htc_hst.c

@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target,
 
 	if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) {
 		epid = svc_rspmsg->endpoint_id;
-		if (epid < 0 || epid >= ENDPOINT_MAX)
+
+		/* Check that the received epid for the endpoint to attach
+		 * a new service is valid. ENDPOINT0 can't be used here as it
+		 * is already reserved for HTC_CTRL_RSVD_SVC service and thus
+		 * should not be modified.
+		 */
+		if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX)
 			return;
 
 		service_id = be16_to_cpu(svc_rspmsg->service_id);