Commit fd1c3318 authored by Johannes Berg's avatar Johannes Berg Committed by Luca Coelho
Browse files

iwlwifi: mvm: validate notification size when waiting 



When waiting for a notification and then processing it,
we also need to check the size of the data before we use
it. Most places do that already, but fix the remaining
ones to do it as well.

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20201209231352.b29573bcba39.I4b7e72824d06dc0719a40021d933e29edfc14713@changeid


Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
parent d3d9b4fc

drivers/net/wireless/intel/iwlwifi/iwl-phy-db.c

+13 −3
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause

/*

 * Copyright (C) 2005-2014 Intel Corporation

 * Copyright (C) 2005-2014, 2020 Intel Corporation

 * Copyright (C) 2016 Intel Deutschland GmbH

 */

#include <linux/slab.h>
@@ -147,13 +147,23 @@ IWL_EXPORT_SYMBOL(iwl_phy_db_free); 
int iwl_phy_db_set_section(struct iwl_phy_db *phy_db,

			   struct iwl_rx_packet *pkt)

{

	unsigned int pkt_len = iwl_rx_packet_payload_len(pkt);

	struct iwl_calib_res_notif_phy_db *phy_db_notif =

			(struct iwl_calib_res_notif_phy_db *)pkt->data;

	enum iwl_phy_db_section_type type = le16_to_cpu(phy_db_notif->type);

	u16 size  = le16_to_cpu(phy_db_notif->length);

	enum iwl_phy_db_section_type type;

	u16 size;

	struct iwl_phy_db_entry *entry;

	u16 chg_id = 0;



	if (pkt_len < sizeof(*phy_db_notif))

		return -EINVAL;



	type = le16_to_cpu(phy_db_notif->type);

	size = le16_to_cpu(phy_db_notif->length);



	if (pkt_len < sizeof(*phy_db_notif) + size)

		return -EINVAL;



	if (!phy_db)

		return -EINVAL;

drivers/net/wireless/intel/iwlwifi/mvm/fw.c

+10 −0
Original line number Diff line number Diff line
@@ -160,6 +160,7 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm, 
static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,

			 struct iwl_rx_packet *pkt, void *data)

{

	unsigned int pkt_len = iwl_rx_packet_payload_len(pkt);

	struct iwl_mvm *mvm =

		container_of(notif_wait, struct iwl_mvm, notif_wait);

	struct iwl_mvm_alive_data *alive_data = data;
@@ -177,6 +178,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, 
				    UCODE_ALIVE_NTFY, 0) == 5) {

		struct iwl_alive_ntf_v5 *palive;



		if (pkt_len < sizeof(*palive))

			return false;



		palive = (void *)pkt->data;

		umac = &palive->umac_data;

		lmac1 = &palive->lmac_data[0];
@@ -194,6 +198,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, 
	} else if (iwl_rx_packet_payload_len(pkt) == sizeof(struct iwl_alive_ntf_v4)) {

		struct iwl_alive_ntf_v4 *palive;



		if (pkt_len < sizeof(*palive))

			return false;



		palive = (void *)pkt->data;

		umac = &palive->umac_data;

		lmac1 = &palive->lmac_data[0];
@@ -203,6 +210,9 @@ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait, 
		   sizeof(struct iwl_alive_ntf_v3)) {

		struct iwl_alive_ntf_v3 *palive3;



		if (pkt_len < sizeof(*palive3))

			return false;



		palive3 = (void *)pkt->data;

		umac = &palive3->umac_data;

		lmac1 = &palive3->lmac_data;

CRA Git | Maintained and supported by SUSTech CRA and CCSE