From patchwork Sun Jan 30 09:52:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luca Coelho X-Patchwork-Id: 12729786 X-Patchwork-Delegate: luca@coelho.fi Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90945C43217 for ; Sun, 30 Jan 2022 09:53:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354541AbiA3JxO (ORCPT ); Sun, 30 Jan 2022 04:53:14 -0500 Received: from paleale.coelho.fi ([176.9.41.70]:37902 "EHLO farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1354531AbiA3JxN (ORCPT ); Sun, 30 Jan 2022 04:53:13 -0500 Received: from 91-156-4-210.elisa-laajakaista.fi ([91.156.4.210] helo=kveik.lan) by farmhouse.coelho.fi with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1nE6tS-0003JO-LS; Sun, 30 Jan 2022 11:53:11 +0200 From: Luca Coelho To: kvalo@kernel.org Cc: luca@coelho.fi, linux-wireless@vger.kernel.org Date: Sun, 30 Jan 2022 11:52:58 +0200 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220130095306.790573-1-luca@coelho.fi> References: <20220130095306.790573-1-luca@coelho.fi> MIME-Version: 1.0 Subject: [PATCH 04/12] iwlwifi: pcie: make sure iwl_rx_packet_payload_len() will not underflow Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Andrei Otcheretianski If the device is malfunctioning and reports too short rx descriptor length, iwl_rx_packet_payload_len() will underflow, eventually resulting in accessing memory out of bounds and other bad things. Prevent this. Signed-off-by: Andrei Otcheretianski Signed-off-by: Luca Coelho --- drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c index bda98c2eb0ad..e4016c97d5ab 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c @@ -1317,7 +1317,7 @@ static void iwl_pcie_rx_handle_rb(struct iwl_trans *trans, offset += ALIGN(len, FH_RSCSR_FRAME_ALIGN); /* check that what the device tells us made sense */ - if (offset > max_len) + if (len < sizeof(*pkt) || offset > max_len) break; trace_iwlwifi_dev_rx(trans->dev, trans, pkt, len);