From patchwork Sun Sep 17 04:08:24 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kevin Cernekee <cernekee@chromium.org>
X-Patchwork-Id: 9954607
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3FD3660352 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 17 Sep 2017 04:08:39 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B53E28BCD
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 17 Sep 2017 04:08:39 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2033928BD2; Sun, 17 Sep 2017 04:08:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A8C9F28BCD
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 17 Sep 2017 04:08:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751535AbdIQEIe (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sun, 17 Sep 2017 00:08:34 -0400
Received: from mail-pg0-f43.google.com ([74.125.83.43]:53850 "EHLO
	mail-pg0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750761AbdIQEIc (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Sun, 17 Sep 2017 00:08:32 -0400
Received: by mail-pg0-f43.google.com with SMTP id j70so3414220pgc.10
	for <linux-wireless@vger.kernel.org>;
	Sat, 16 Sep 2017 21:08:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=x4VWdDlK1rL8oJo/1LbKDg3HjN+tI6XSpmRMqn9ugJk=;
	b=JLWv1vcC0WpMTl/nntRLRMFC+Ujl35hYnJXdT+cuP6yTLH9+gM1aLfbGqPOErljFaV
	GKk08uiOsqDE9j6LG1eDyqw9FCijxPfTgnnf6pSxkPkQCeJLjDoj4tfYVb7vZ2WzZMQ/
	WcRkIkTya12guVHYAJWF01te+ENJWA8boTyyJl5HwEqeXi/U27BH7/R1/tLM95f8JIlF
	rerd932cOK5xUxRPgyYN/UKneHln+Q8ltiV5mSijA03zQqrlxU8D+3TxwMTSZynJ2vUF
	yUebH9cT1cj76Ka4ncliImEPGbBuBkGZvEZ3VF+W3JbncnE3VqpJ/4qzPYPwvmW9hFy1
	9bCA==
X-Gm-Message-State: AHPjjUhFQOF0peByX8/z708YeXy2dVBQu8DQLQyMjwg3q8lsRzj5P3DH
	V3G4lMkFs6wJ5+Jf
X-Google-Smtp-Source: 
 ADKCNb4YoJRgBW0irWxQSM+FsbGQ5a2DJskauBLKd3s0ZdXPduCtN7Vk+3JwQufnHt4GQHpC0EiwJw==
X-Received: by 10.98.5.4 with SMTP id 4mr28246245pff.175.1505621312140;
	Sat, 16 Sep 2017 21:08:32 -0700 (PDT)
Received: from kcl.mtv.corp.google.com ([172.22.113.159])
	by smtp.gmail.com with ESMTPSA id
	s186sm8811801pgb.89.2017.09.16.21.08.31
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sat, 16 Sep 2017 21:08:31 -0700 (PDT)
From: Kevin Cernekee <cernekee@chromium.org>
To: arend.vanspriel@broadcom.com, franky.lin@broadcom.com
Cc: brcm80211-dev-list.pdl@broadcom.com,
	linux-wireless@vger.kernel.org, mnissler@chromium.org
Subject: [PATCH V3 3/3] brcmfmac: Add check for short event packets
Date: Sat, 16 Sep 2017 21:08:24 -0700
Message-Id: <20170917040824.22237-3-cernekee@chromium.org>
X-Mailer: git-send-email 2.14.1.690.gbb1197296e-goog
In-Reply-To: <20170917040824.22237-1-cernekee@chromium.org>
References: <20170917040824.22237-1-cernekee@chromium.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The length of the data in the received skb is currently passed into
brcmf_fweh_process_event() as packet_len, but this value is not checked.
event_packet should be followed by DATALEN bytes of additional event
data.  Ensure that the received packet actually contains at least
DATALEN bytes of additional data, to avoid copying uninitialized memory
into event->data.

Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


V2->V3: Change '<' to '>' and retest

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 27e661fa356f..e7eaa57d11d9 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -424,7 +424,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 	if (code != BRCMF_E_IF && !fweh->evt_handler[code])
 		return;
 
-	if (datalen > BRCMF_DCMD_MAXLEN)
+	if (datalen > BRCMF_DCMD_MAXLEN ||
+	    datalen + sizeof(*event_packet) > packet_len)
 		return;
 
 	if (in_interrupt())