summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/intel/iwlwifi/dvm
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2020-12-10 00:16:46 +0300
committerLuca Coelho <luciano.coelho@intel.com>2020-12-10 01:16:05 +0300
commitb8aba27cdc0ea6aaafacba3b899ff99d6d876fad (patch)
treef95682ce970b9ec74e4d8427411b6ff83421bdd1 /drivers/net/wireless/intel/iwlwifi/dvm
parentac1a98e1e924e7e8d7c7e5b1ca8ddc522e10ddd0 (diff)
downloadlinux-b8aba27cdc0ea6aaafacba3b899ff99d6d876fad.tar.xz
iwlwifi: tighten RX MPDU bounds checks
Previously, we added checks that the contained MPDU size is long enough, but really we should also check that the notification itself fits into the data. Add some checks for that. Also add unlikely() annotations on the previously added checks. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Link: https://lore.kernel.org/r/iwlwifi.20201209231352.51cc04cf1e3e.I7bfd6809f8f5feb75f79397646e6656e95688a0e@changeid Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/dvm')
-rw-r--r--drivers/net/wireless/intel/iwlwifi/dvm/rx.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
index d06278558b33..ecbf8d3cddae 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
@@ -794,6 +794,12 @@ static void iwlagn_rx_reply_rx(struct iwl_priv *priv,
IWL_ERR(priv, "MPDU frame without cached PHY data\n");
return;
}
+
+ if (unlikely(pkt_len < sizeof(*amsdu))) {
+ IWL_DEBUG_DROP(priv, "Bad REPLY_RX_MPDU_CMD size\n");
+ return;
+ }
+
phy_res = &priv->last_phy_res;
amsdu = (struct iwl_rx_mpdu_res_start *)pkt->data;
header = (struct ieee80211_hdr *)(pkt->data + sizeof(*amsdu));
generated by cgit v1.2.3 (git 2.39.0) at 2024-07-02 12:12:58 +0300