summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2020-12-09 23:16:46 +0200
committerLuca Coelho <luciano.coelho@intel.com>2020-12-10 00:16:05 +0200
commitb8aba27cdc0ea6aaafacba3b899ff99d6d876fad (patch)
treef95682ce970b9ec74e4d8427411b6ff83421bdd1 /drivers/net/wireless/intel/iwlwifi/dvm/rx.c
parentac1a98e1e924e7e8d7c7e5b1ca8ddc522e10ddd0 (diff)
iwlwifi: tighten RX MPDU bounds checks
Previously, we added checks that the contained MPDU size is long enough, but really we should also check that the notification itself fits into the data. Add some checks for that. Also add unlikely() annotations on the previously added checks. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Link: https://lore.kernel.org/r/iwlwifi.20201209231352.51cc04cf1e3e.I7bfd6809f8f5feb75f79397646e6656e95688a0e@changeid Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/dvm/rx.c')
-rw-r--r--drivers/net/wireless/intel/iwlwifi/dvm/rx.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
index d06278558b33..ecbf8d3cddae 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
@@ -794,6 +794,12 @@ static void iwlagn_rx_reply_rx(struct iwl_priv *priv,
IWL_ERR(priv, "MPDU frame without cached PHY data\n");
return;
}
+
+ if (unlikely(pkt_len < sizeof(*amsdu))) {
+ IWL_DEBUG_DROP(priv, "Bad REPLY_RX_MPDU_CMD size\n");
+ return;
+ }
+
phy_res = &priv->last_phy_res;
amsdu = (struct iwl_rx_mpdu_res_start *)pkt->data;
header = (struct ieee80211_hdr *)(pkt->data + sizeof(*amsdu));
generated by cgit (git 2.34.1) at 2024-06-25 22:58:41 +0000