ath10k: pci: fix memcpy size of bmi response

A compromized ath10k peripheral is able to control the size argument of memcpy in ath10k_pci_hif_exchange_bmi_msg. The min result from previous line is not used as the size argument for memcpy. Instead, xfer.resp_len comes from untrusted stream dma input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data, which is set inside _ath10k_ce_completed_recv_next_nolock with the line nbytes = __le16_to_cpu(sdesc.nbytes); sdesc is a stream dma region which device can write to. Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200616132544.17478-1-bruceshenzk@gmail.com
author: Zekun Shen <bruceshenzk@gmail.com> 2020-06-16 16:25:43 +0300
committer: Kalle Valo <kvalo@codeaurora.org> 2020-06-23 10:43:17 +0300
commit: aed95297250f0cac4c4861eef4a91708970aa1dc (patch)
tree: b79809879d435080423278c2872e758acdd33ae2 /drivers/net/wireless/ath/ath10k/pci.c
parent: 93a5b668806c1d868f7f9f0438321006200c049f (diff)
download: linux-aed95297250f0cac4c4861eef4a91708970aa1dc.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 1d941d53fdc9..ad28d91565d1 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -2184,7 +2184,7 @@ err_req:
 
 	if (ret == 0 && resp_len) {
 		*resp_len = min(*resp_len, xfer.resp_len);
-		memcpy(resp, tresp, xfer.resp_len);
+		memcpy(resp, tresp, *resp_len);
 	}
 err_dma:
 	kfree(treq);
author	Zekun Shen <bruceshenzk@gmail.com>	2020-06-16 16:25:43 +0300
committer	Kalle Valo <kvalo@codeaurora.org>	2020-06-23 10:43:17 +0300
commit	aed95297250f0cac4c4861eef4a91708970aa1dc (patch)
tree	b79809879d435080423278c2872e758acdd33ae2 /drivers/net/wireless/ath/ath10k/pci.c
parent	93a5b668806c1d868f7f9f0438321006200c049f (diff)
download	linux-aed95297250f0cac4c4861eef4a91708970aa1dc.tar.xz