diff mbox series

[v2,1/5] brcmfmac: To fix kernel crash on out of boundary access

Message ID 20200604071835.3842-2-wright.feng@cypress.com (mailing list archive)
State Accepted
Commit 698bae2e6ea139cd67debf7e8eb064056783b5bf
Delegated to: Kalle Valo
Headers show
Series brcmfmac: Stability change series | expand

Commit Message

Wright Feng June 4, 2020, 7:18 a.m. UTC
From: Raveendran Somu <raveendran.somu@cypress.com>

To truncate the additional bytes, if extra bytes have been received.
Current code only have a warning and proceed without handling it.
But in one of the crash reported by DVT, these causes the
crash intermittently. So the processing is limit to the skb->len.

Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Wright Feng <wright.feng@cypress.com>
---
v2:
 - Correct all typos in commit message

 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Kalle Valo July 14, 2020, 9:44 a.m. UTC | #1
Wright Feng <wright.feng@cypress.com> wrote:

> From: Raveendran Somu <raveendran.somu@cypress.com>
> 
> To truncate the additional bytes, if extra bytes have been received.
> Current code only have a warning and proceed without handling it.
> But in one of the crash reported by DVT, these causes the
> crash intermittently. So the processing is limit to the skb->len.
> 
> Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
> Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
> Signed-off-by: Wright Feng <wright.feng@cypress.com>

5 patches applied to wireless-drivers-next.git, thanks.

698bae2e6ea1 brcmfmac: To fix kernel crash on out of boundary access
1eb4e9f62998 brcmfmac: fix invalid permanent MAC address in wiphy
eccbf46b15bb brcmfmac: keep SDIO watchdog running when console_interval is non-zero
ec3428bb8915 brcmfmac: reduce maximum station interface from 2 to 1 in RSDB mode
fa3266541b13 brcmfmac: To fix Bss Info flag definition Bug
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
index 09701262330d..531fe9be4025 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
@@ -1843,6 +1843,9 @@  void brcmf_fws_hdrpull(struct brcmf_if *ifp, s16 siglen, struct sk_buff *skb)
 
 	WARN_ON(siglen > skb->len);
 
+	if (siglen > skb->len)
+		siglen = skb->len;
+
 	if (!siglen)
 		return;
 	/* if flow control disabled, skip to packet data and leave */