| 1234567891011121314151617181920212223242526272829303132 |
- From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
- From: Kevin Cernekee <cernekee@chromium.org>
- Date: Sat, 16 Sep 2017 21:08:24 -0700
- Subject: [PATCH] brcmfmac: Add check for short event packets
- The length of the data in the received skb is currently passed into
- brcmf_fweh_process_event() as packet_len, but this value is not checked.
- event_packet should be followed by DATALEN bytes of additional event
- data. Ensure that the received packet actually contains at least
- DATALEN bytes of additional data, to avoid copying uninitialized memory
- into event->data.
- Cc: <stable@vger.kernel.org> # v3.8
- Suggested-by: Mattias Nissler <mnissler@chromium.org>
- Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
- Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
- ---
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
- --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
- +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
- @@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
- if (code != BRCMF_E_IF && !fweh->evt_handler[code])
- return;
-
- - if (datalen > BRCMF_DCMD_MAXLEN)
- + if (datalen > BRCMF_DCMD_MAXLEN ||
- + datalen + sizeof(*event_packet) > packet_len)
- return;
-
- if (in_interrupt())
|
