projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 620d5ea)
wifi: wfx: prevent underflow in wfx_send_pds()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 19 Aug 2022 05:23:43 +0000 (08:23 +0300)
committerKalle Valo <kvalo@kernel.org>
Fri, 2 Sep 2022 08:44:35 +0000 (11:44 +0300)
This does a "chunk_len - 4" subtraction later when it calls:

ret = wfx_hif_configuration(wdev, buf + 4, chunk_len - 4);

so check for "chunk_len" is less than 4.

Fixes: dcbecb497908 ("staging: wfx: allow new PDS format")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/Yv8eX7Xv2ubUOvW7@kili
drivers/net/wireless/silabs/wfx/main.c patch | blob | history

diff --git a/drivers/net/wireless/silabs/wfx/main.c b/drivers/net/wireless/silabs/wfx/main.c
index e015bfb..84d82dd 100644 (file)
--- a/drivers/net/wireless/silabs/wfx/main.c
+++ b/drivers/net/wireless/silabs/wfx/main.c
@@ -181,7 +181,7 @@ int wfx_send_pds(struct wfx_dev *wdev, u8 *buf, size_t len)
        while (len > 0) {
                chunk_type = get_unaligned_le16(buf + 0);
                chunk_len = get_unaligned_le16(buf + 2);
-               if (chunk_len > len) {
+               if (chunk_len < 4 || chunk_len > len) {
                        dev_err(wdev->dev, "PDS:%d: corrupted file\n", chunk_num);
                        return -EINVAL;
                }
Domain: System / Kernel;