Commit 3348ef6a authored by Dan Carpenter's avatar Dan Carpenter Committed by Kalle Valo
Browse files

libertas_tf: prevent underflow in process_cmdrequest() 



If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.

Fixes: c305a19a ("libertas_tf: usb specific functions")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 62a25dc5

drivers/net/wireless/marvell/libertas_tf/if_usb.c

+3 −2
Original line number Diff line number Diff line
@@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, 
{

	unsigned long flags;



	if (recvlength > LBS_CMD_BUFFER_SIZE) {

	if (recvlength < MESSAGE_HEADER_LEN ||

	    recvlength > LBS_CMD_BUFFER_SIZE) {

		lbtf_deb_usbd(&cardp->udev->dev,

			     "The receive buffer is too large\n");

			     "The receive buffer is invalid: %d\n", recvlength);

		kfree_skb(skb);

		return;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE