diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2020-12-09 23:16:51 +0200 |
|---|---|---|
| committer | Luca Coelho <luciano.coelho@intel.com> | 2020-12-10 00:16:08 +0200 |
| commit | fd1c3318f4e7cf30cd73efb3cb5e9648efc6625b (patch) | |
| tree | de133c29a312ddafda28810219d98820a3b17eaa /drivers/net/wireless/intel/iwlwifi/mvm/fw.c | |
| parent | d3d9b4fca3636bb2dc75e2eb2e4e384bbf5e4159 (diff) | |
iwlwifi: mvm: validate notification size when waiting
When waiting for a notification and then processing it,
we also need to check the size of the data before we use
it. Most places do that already, but fix the remaining
ones to do it as well.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20201209231352.b29573bcba39.I4b7e72824d06dc0719a40021d933e29edfc14713@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/mvm/fw.c')
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c index 8f15f68ffc70..0637eb1cff4e 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c @@ -160,6 +160,7 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm, static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, struct iwl_rx_packet *pkt, void *data) { + unsigned int pkt_len = iwl_rx_packet_payload_len(pkt); struct iwl_mvm *mvm = container_of(notif_wait, struct iwl_mvm, notif_wait); struct iwl_mvm_alive_data *alive_data = data; @@ -177,6 +178,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, UCODE_ALIVE_NTFY, 0) == 5) { struct iwl_alive_ntf_v5 *palive; + if (pkt_len < sizeof(*palive)) + return false; + palive = (void *)pkt->data; umac = &palive->umac_data; lmac1 = &palive->lmac_data[0]; @@ -194,6 +198,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, } else if (iwl_rx_packet_payload_len(pkt) == sizeof(struct iwl_alive_ntf_v4)) { struct iwl_alive_ntf_v4 *palive; + if (pkt_len < sizeof(*palive)) + return false; + palive = (void *)pkt->data; umac = &palive->umac_data; lmac1 = &palive->lmac_data[0]; @@ -203,6 +210,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, sizeof(struct iwl_alive_ntf_v3)) { struct iwl_alive_ntf_v3 *palive3; + if (pkt_len < sizeof(*palive3)) + return false; + palive3 = (void *)pkt->data; umac = &palive3->umac_data; lmac1 = &palive3->lmac_data; |