UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

iwlwifi: mvm: debugfs: check length precisely in inject_packet 

When we check the length, we only check that the advertised
data length fits into the data we have, but currently not
that it actually matches correctly.

This should be harmless, but if the first two bytes are zero,
then the iwl_rx_packet_payload_len() ends up negative, and
that might later cause issues if unsigned variables are used,
as this is not something that's normally expected.

Change the validation here to precisely validate the lengths
match, to avoid such issues.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20210117164916.5184dfc2a445.I0631d2e4f6ffb93cf06618edb035c45bd6d1d7b9@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This commit is contained in:
Johannes Berg 2021-01-17 16:52:33 +02:00 committed by Luca Coelho
parent 9aae43a450
commit 5c255a1071
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
View File

@ -1169,9 +1169,9 @@ static ssize_t iwl_dbgfs_inject_packet_write(struct iwl_mvm *mvm,
if (ret) if (ret)
goto out; goto out;
/* avoid invalid memory access */ /* avoid invalid memory access and malformed packet */
if (bin_len < sizeof(*pkt) || if (bin_len < sizeof(*pkt) ||
bin_len < sizeof(*pkt) + iwl_rx_packet_payload_len(pkt)) bin_len != sizeof(*pkt) + iwl_rx_packet_payload_len(pkt))
goto out; goto out;
local_bh_disable(); local_bh_disable();