326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch 1.3 KB

1234567891011121314151617181920212223242526272829303132
  1. From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
  2. From: Kevin Cernekee <cernekee@chromium.org>
  3. Date: Sat, 16 Sep 2017 21:08:24 -0700
  4. Subject: [PATCH] brcmfmac: Add check for short event packets
  5. The length of the data in the received skb is currently passed into
  6. brcmf_fweh_process_event() as packet_len, but this value is not checked.
  7. event_packet should be followed by DATALEN bytes of additional event
  8. data. Ensure that the received packet actually contains at least
  9. DATALEN bytes of additional data, to avoid copying uninitialized memory
  10. into event->data.
  11. Cc: <stable@vger.kernel.org> # v3.8
  12. Suggested-by: Mattias Nissler <mnissler@chromium.org>
  13. Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
  14. Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  15. ---
  16. drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
  17. 1 file changed, 2 insertions(+), 1 deletion(-)
  18. --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
  19. +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
  20. @@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
  21. if (code != BRCMF_E_IF && !fweh->evt_handler[code])
  22. return;
  23. - if (datalen > BRCMF_DCMD_MAXLEN)
  24. + if (datalen > BRCMF_DCMD_MAXLEN ||
  25. + datalen + sizeof(*event_packet) > packet_len)
  26. return;
  27. if (in_interrupt())