wifi: iwlwifi: mvm: check firmware response size

[ Upstream commit 13513cec93ac9902d0b896976d8bab3758a9881c ]

Check the firmware response size for responses to the
memory read/write command in debugfs before using it.

Fixes: 2b55f43f8e47 ("iwlwifi: mvm: Add mem debugfs entry")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230417113648.0d56fcaf68ee.I70e9571f3ed7263929b04f8fabad23c9b999e4ea@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
index 1e81231..022ec7e 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
@@ -1745,6 +1745,11 @@ static ssize_t iwl_dbgfs_mem_read(struct file *file, char __user *user_buf,
        if (ret < 0)
                return ret;
 
+       if (iwl_rx_packet_payload_len(hcmd.resp_pkt) < sizeof(*rsp)) {
+               ret = -EIO;
+               goto out;
+       }
+
        rsp = (void *)hcmd.resp_pkt->data;
        if (le32_to_cpu(rsp->status) != DEBUG_MEM_STATUS_SUCCESS) {
                ret = -ENXIO;
@@ -1821,6 +1826,11 @@ static ssize_t iwl_dbgfs_mem_write(struct file *file,
        if (ret < 0)
                return ret;
 
+       if (iwl_rx_packet_payload_len(hcmd.resp_pkt) < sizeof(*rsp)) {
+               ret = -EIO;
+               goto out;
+       }
+
        rsp = (void *)hcmd.resp_pkt->data;
        if (rsp->status != DEBUG_MEM_STATUS_SUCCESS) {
                ret = -ENXIO;