iwlwifi: fix debug TLV parsing

author Johannes Berg <johannes.berg@intel.com>

Fri, 10 Dec 2021 09:12:41 +0000 (11:12 +0200)

committer Luca Coelho <luciano.coelho@intel.com>

Tue, 21 Dec 2021 10:35:05 +0000 (12:35 +0200)
author Johannes Berg <johannes.berg@intel.com>
Fri, 10 Dec 2021 09:12:41 +0000 (11:12 +0200)
committer Luca Coelho <luciano.coelho@intel.com>
Tue, 21 Dec 2021 10:35:05 +0000 (12:35 +0200)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c

index a8ebc26..c2fbda2 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
@@ -300,14 +300,21 @@ static int (*dbg_tlv_alloc[])(struct iwl_trans *trans,
  void iwl_dbg_tlv_alloc(struct iwl_trans *trans, const struct iwl_ucode_tlv *tlv,
                        bool ext)
  {
-       const struct iwl_fw_ini_header *hdr = (const void *)&tlv->data[0];
-       u32 type = le32_to_cpu(tlv->type);
-       u32 tlv_idx = type - IWL_UCODE_TLV_DEBUG_BASE;
-       u32 domain = le32_to_cpu(hdr->domain);
         enum iwl_ini_cfg_state *cfg_state = ext ?
                 &trans->dbg.external_ini_cfg : &trans->dbg.internal_ini_cfg;
+       const struct iwl_fw_ini_header *hdr = (const void *)&tlv->data[0];
+       u32 type;
+       u32 tlv_idx;
+       u32 domain;
         int ret;
  
+       if (le32_to_cpu(tlv->length) < sizeof(*hdr))
+               return;
+
+       type = le32_to_cpu(tlv->type);
+       tlv_idx = type - IWL_UCODE_TLV_DEBUG_BASE;
+       domain = le32_to_cpu(hdr->domain);
+
         if (domain != IWL_FW_INI_DOMAIN_ALWAYS_ON &&
             !(domain & trans->dbg.domains_bitmap)) {
                 IWL_DEBUG_FW(trans,
author	Johannes Berg <johannes.berg@intel.com>
	Fri, 10 Dec 2021 09:12:41 +0000 (11:12 +0200)
committer	Luca Coelho <luciano.coelho@intel.com>
	Tue, 21 Dec 2021 10:35:05 +0000 (12:35 +0200)