diff options
author | Zekun Shen <bruceshenzk@gmail.com> | 2020-06-16 16:25:43 +0300 |
---|---|---|
committer | Kalle Valo <kvalo@codeaurora.org> | 2020-06-23 10:43:17 +0300 |
commit | aed95297250f0cac4c4861eef4a91708970aa1dc (patch) | |
tree | b79809879d435080423278c2872e758acdd33ae2 /drivers/net/wireless/ath/ath10k/pci.c | |
parent | 93a5b668806c1d868f7f9f0438321006200c049f (diff) | |
download | linux-aed95297250f0cac4c4861eef4a91708970aa1dc.tar.xz |
ath10k: pci: fix memcpy size of bmi response
A compromized ath10k peripheral is able to control the size argument
of memcpy in ath10k_pci_hif_exchange_bmi_msg.
The min result from previous line is not used as the size argument
for memcpy. Instead, xfer.resp_len comes from untrusted stream dma
input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data,
which is set inside _ath10k_ce_completed_recv_next_nolock with the line
nbytes = __le16_to_cpu(sdesc.nbytes);
sdesc is a stream dma region which device can write to.
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200616132544.17478-1-bruceshenzk@gmail.com
Diffstat (limited to 'drivers/net/wireless/ath/ath10k/pci.c')
-rw-r--r-- | drivers/net/wireless/ath/ath10k/pci.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index 1d941d53fdc9..ad28d91565d1 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -2184,7 +2184,7 @@ err_req: if (ret == 0 && resp_len) { *resp_len = min(*resp_len, xfer.resp_len); - memcpy(resp, tresp, xfer.resp_len); + memcpy(resp, tresp, *resp_len); } err_dma: kfree(treq); |