From patchwork Sat Sep  9 19:30:20 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kevin Cernekee <cernekee@chromium.org>
X-Patchwork-Id: 9945427
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	090EA6034B for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat,  9 Sep 2017 19:30:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED2DF28A02
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat,  9 Sep 2017 19:30:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E20E828A04; Sat,  9 Sep 2017 19:30:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83F3628A02
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sat,  9 Sep 2017 19:30:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750996AbdIITai (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sat, 9 Sep 2017 15:30:38 -0400
Received: from mail-pg0-f45.google.com ([74.125.83.45]:36001 "EHLO
	mail-pg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750905AbdIITaf (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Sat, 9 Sep 2017 15:30:35 -0400
Received: by mail-pg0-f45.google.com with SMTP id i130so2163358pgc.3
	for <linux-wireless@vger.kernel.org>;
	Sat, 09 Sep 2017 12:30:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=i1LgA6G7qeIh9Rvb16LOj0+NP9VqXVaErPbJZ7f73HA=;
	b=M1JbAglCKWV7OTOCWpfZiAbjHadT12B7EsJPQLkaFODjuQZVf8hC4oG1IsfM9VmNuZ
	diOLtN6egh1I7qKbWOzrLTjCTBj8QXZhSzNJs8/++CMkaUOvogDKzRgcHhP947HuKpnC
	LHNTC8WuG4Yo2OnxLOox1ftKx7WWio+4bfvffJ2MSNT/aTADX615QPzQYIWUs0I5rwzk
	7jNibtyIR98xE9TbV/iuCqR3s+hSBSrwXnuUS29zE47/nC6zcrFyeEtmif/NEMBtN3Gi
	CYASKicYwVZH4kBsHtX8UpIUws74cw8TU0R84FsO+GsyctPCKt509VWYcbbg0Vlscf6Z
	unLw==
X-Gm-Message-State: AHPjjUjYC4pIqRTLnrPbveUBoKGyKrDLZHmmhGdKxeJ5zHqc72vMu6gL
	yQ++GOQHxYFix2FG
X-Google-Smtp-Source: 
 ADKCNb6H2kWQz6mMg+0FKUCND4HDPs8h8TFYIbE4mYBf1ZzRwwzOlOlz/s0TcwbdRRy3PcG8sXnD2A==
X-Received: by 10.84.246.200 with SMTP id j8mr7910006plt.360.1504985435210;
	Sat, 09 Sep 2017 12:30:35 -0700 (PDT)
Received: from kcl.mtv.corp.google.com ([172.22.113.159])
	by smtp.gmail.com with ESMTPSA id
	p63sm8001174pga.82.2017.09.09.12.30.34
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sat, 09 Sep 2017 12:30:34 -0700 (PDT)
From: Kevin Cernekee <cernekee@chromium.org>
To: arend.vanspriel@broadcom.com, franky.lin@broadcom.com
Cc: brcm80211-dev-list.pdl@broadcom.com,
	linux-wireless@vger.kernel.org, mnissler@chromium.org
Subject: [PATCH V2 3/3] brcmfmac: Add check for short event packets
Date: Sat,  9 Sep 2017 12:30:20 -0700
Message-Id: <20170909193020.19061-3-cernekee@chromium.org>
X-Mailer: git-send-email 2.14.1.581.gf28d330327-goog
In-Reply-To: <20170909193020.19061-1-cernekee@chromium.org>
References: <20170909193020.19061-1-cernekee@chromium.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The length of the data in the received skb is currently passed into
brcmf_fweh_process_event() as packet_len, but this value is not checked.
event_packet should be followed by DATALEN bytes of additional event
data.  Ensure that the received packet actually contains at least
DATALEN bytes of additional data, to avoid copying uninitialized memory
into event->data.

Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


V1->V2: No change.

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 27e661fa356f..28361bb865f3 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -424,7 +424,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 	if (code != BRCMF_E_IF && !fweh->evt_handler[code])
 		return;
 
-	if (datalen > BRCMF_DCMD_MAXLEN)
+	if (datalen > BRCMF_DCMD_MAXLEN ||
+	    datalen + sizeof(*event_packet) < packet_len)
 		return;
 
 	if (in_interrupt())