33 lines
1.3 KiB
Diff
33 lines
1.3 KiB
Diff
From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
|
|
From: Kevin Cernekee <cernekee@chromium.org>
|
|
Date: Sat, 16 Sep 2017 21:08:24 -0700
|
|
Subject: [PATCH] brcmfmac: Add check for short event packets
|
|
|
|
The length of the data in the received skb is currently passed into
|
|
brcmf_fweh_process_event() as packet_len, but this value is not checked.
|
|
event_packet should be followed by DATALEN bytes of additional event
|
|
data. Ensure that the received packet actually contains at least
|
|
DATALEN bytes of additional data, to avoid copying uninitialized memory
|
|
into event->data.
|
|
|
|
Cc: <stable@vger.kernel.org> # v3.8
|
|
Suggested-by: Mattias Nissler <mnissler@chromium.org>
|
|
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
|
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
---
|
|
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
|
|
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
|
|
@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
|
|
if (code != BRCMF_E_IF && !fweh->evt_handler[code])
|
|
return;
|
|
|
|
- if (datalen > BRCMF_DCMD_MAXLEN)
|
|
+ if (datalen > BRCMF_DCMD_MAXLEN ||
|
|
+ datalen + sizeof(*event_packet) > packet_len)
|
|
return;
|
|
|
|
if (in_interrupt())
|