UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

iwlwifi: validate MPDU length against notification length 

The MPDU contained in a notification shouldn't be larger than the
notification size itself is, validate this.

Reported-by: Haggai Abramovsky <haggai.abramovsky@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20201209231352.7c721ad37014.Id5746874ecfa208b60baa62691b2d9dc5dd4d89c@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This commit is contained in:
Johannes Berg 2020-12-09 23:16:24 +02:00 committed by Luca Coelho
parent c6bae21690
commit efc0ec5afb
3 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/net/wireless/intel/iwlwifi/dvm/rx.c
View File

@ -3,7 +3,7 @@
*
* Copyright(c) 2003 - 2014 Intel Corporation. All rights reserved.
* Copyright(c) 2015 Intel Deutschland GmbH
* Copyright(c) 2018 Intel Corporation
* Copyright(c) 2018, 2020 Intel Corporation
*
* Portions of this file are derived from the ipw3945 project, as well
* as portionhelp of the ieee80211 subsystem header files.
@ -786,7 +786,7 @@ static void iwlagn_rx_reply_rx(struct iwl_priv *priv,
struct iwl_rx_phy_res *phy_res;
__le32 rx_pkt_status;
struct iwl_rx_mpdu_res_start *amsdu;
u32 len;
u32 len, pkt_len = iwl_rx_packet_len(pkt);
u32 ampdu_status;
u32 rate_n_flags;
@ -798,6 +798,12 @@ static void iwlagn_rx_reply_rx(struct iwl_priv *priv,
amsdu = (struct iwl_rx_mpdu_res_start *)pkt->data;
header = (struct ieee80211_hdr *)(pkt->data + sizeof(*amsdu));
len = le16_to_cpu(amsdu->byte_count);
if (unlikely(len + sizeof(*amsdu) + sizeof(__le32) > pkt_len)) {
IWL_DEBUG_DROP(priv, "FW lied about packet len\n");
return;
}
rx_pkt_status = *(__le32 *)(pkt->data + sizeof(*amsdu) + len);
ampdu_status = iwlagn_translate_rx_status(priv,
le32_to_cpu(rx_pkt_status));

8
drivers/net/wireless/intel/iwlwifi/mvm/rx.c
View File

@ -349,7 +349,7 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi,
struct iwl_rx_mpdu_res_start *rx_res;
struct ieee80211_sta *sta = NULL;
struct sk_buff *skb;
u32 len;
u32 len, pkt_len = iwl_rx_packet_payload_len(pkt);
u32 rate_n_flags;
u32 rx_pkt_status;
u8 crypt_len = 0;
@ -358,6 +358,12 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi,
rx_res = (struct iwl_rx_mpdu_res_start *)pkt->data;
hdr = (struct ieee80211_hdr *)(pkt->data + sizeof(*rx_res));
len = le16_to_cpu(rx_res->byte_count);
if (unlikely(len + sizeof(*rx_res) + sizeof(__le32) > pkt_len)) {
IWL_DEBUG_DROP(mvm, "FW lied about packet len\n");
return;
}
rx_pkt_status = get_unaligned_le32((__le32 *)
(pkt->data + sizeof(*rx_res) + len));

6
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
View File

@ -1607,6 +1607,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
struct ieee80211_hdr *hdr;
u32 len = le16_to_cpu(desc->mpdu_len);
u32 pkt_len = iwl_rx_packet_payload_len(pkt);
u32 rate_n_flags, gp2_on_air_rise;
u16 phy_info = le16_to_cpu(desc->phy_info);
struct ieee80211_sta *sta = NULL;
@ -1653,6 +1654,11 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
le32_get_bits(phy_data.d1,
IWL_RX_PHY_DATA1_INFO_TYPE_MASK);
if (len + desc_size > pkt_len) {
IWL_DEBUG_DROP(mvm, "FW lied about packet len\n");
return;
}
hdr = (void *)(pkt->data + desc_size);
/* Dont use dev_alloc_skb(), we'll have enough headroom once
* ieee80211_hdr pulled.