diff options
| author | Mordechay Goodstein <mordechay.goodstein@intel.com> | 2020-04-24 18:48:11 +0300 |
|---|---|---|
| committer | Luca Coelho <luciano.coelho@intel.com> | 2020-05-08 09:50:46 +0300 |
| commit | 0c9e025e797e02c35449b3ad08d3317e5fc7d7b8 (patch) | |
| tree | a24cdde6216735d40ad0409d731853be9112aea9 /drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | |
| parent | f25c418dcad93755cf48537d60a46070112be72c (diff) | |
| download | linux-0c9e025e797e02c35449b3ad08d3317e5fc7d7b8.tar.xz | |
iwlwifi: yoyo: don't access TLV before verifying len
If we access the TLV memory with shorter len than the struct
we access garbage data that was not given by the user.
On the way rewrite the checker in a cleaner way.
Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Fixes: a9248de42464 ("iwlwifi: dbg_ini: add TLV allocation new API support")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20200424182644.54418c829390.I15d6b462a0e69a280b6c6cfbcb6bcb05bb5f79ee@changeid
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c')
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 44 |
1 files changed, 21 insertions, 23 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c index 9eb8fbfaa2a2..7987a288917b 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c @@ -165,38 +165,36 @@ static int iwl_dbg_tlv_alloc_buf_alloc(struct iwl_trans *trans, struct iwl_ucode_tlv *tlv) { struct iwl_fw_ini_allocation_tlv *alloc = (void *)tlv->data; - u32 buf_location = le32_to_cpu(alloc->buf_location); - u32 alloc_id = le32_to_cpu(alloc->alloc_id); + u32 buf_location; + u32 alloc_id; - if (le32_to_cpu(tlv->length) != sizeof(*alloc) || - (buf_location != IWL_FW_INI_LOCATION_SRAM_PATH && - buf_location != IWL_FW_INI_LOCATION_DRAM_PATH && - buf_location != IWL_FW_INI_LOCATION_NPK_PATH)) { - IWL_ERR(trans, - "WRT: Invalid allocation TLV\n"); + if (le32_to_cpu(tlv->length) != sizeof(*alloc)) return -EINVAL; - } - if ((buf_location == IWL_FW_INI_LOCATION_SRAM_PATH || - buf_location == IWL_FW_INI_LOCATION_NPK_PATH) && - alloc_id != IWL_FW_INI_ALLOCATION_ID_DBGC1) { - IWL_ERR(trans, - "WRT: Allocation TLV for SMEM/NPK path must have id %u (current: %u)\n", - IWL_FW_INI_ALLOCATION_ID_DBGC1, alloc_id); - return -EINVAL; - } + buf_location = le32_to_cpu(alloc->buf_location); + alloc_id = le32_to_cpu(alloc->alloc_id); + + if (buf_location == IWL_FW_INI_LOCATION_INVALID || + buf_location >= IWL_FW_INI_LOCATION_NUM) + goto err; if (alloc_id == IWL_FW_INI_ALLOCATION_INVALID || - alloc_id >= IWL_FW_INI_ALLOCATION_NUM) { - IWL_ERR(trans, - "WRT: Invalid allocation id %u for allocation TLV\n", - alloc_id); - return -EINVAL; - } + alloc_id >= IWL_FW_INI_ALLOCATION_NUM) + goto err; + + if ((buf_location == IWL_FW_INI_LOCATION_SRAM_PATH || + buf_location == IWL_FW_INI_LOCATION_NPK_PATH) && + alloc_id != IWL_FW_INI_ALLOCATION_ID_DBGC1) + goto err; trans->dbg.fw_mon_cfg[alloc_id] = *alloc; return 0; +err: + IWL_ERR(trans, + "WRT: Invalid allocation id %u and/or location id %u for allocation TLV\n", + alloc_id, buf_location); + return -EINVAL; } static int iwl_dbg_tlv_alloc_hcmd(struct iwl_trans *trans, |