diff options
author | Johannes Berg <johannes.berg@intel.com> | 2020-12-09 23:16:46 +0200 |
---|---|---|
committer | Luca Coelho <luciano.coelho@intel.com> | 2020-12-10 00:16:05 +0200 |
commit | b8aba27cdc0ea6aaafacba3b899ff99d6d876fad (patch) | |
tree | f95682ce970b9ec74e4d8427411b6ff83421bdd1 /drivers/net/wireless/intel/iwlwifi/dvm | |
parent | ac1a98e1e924e7e8d7c7e5b1ca8ddc522e10ddd0 (diff) |
iwlwifi: tighten RX MPDU bounds checks
Previously, we added checks that the contained MPDU size is long
enough, but really we should also check that the notification
itself fits into the data. Add some checks for that.
Also add unlikely() annotations on the previously added checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20201209231352.51cc04cf1e3e.I7bfd6809f8f5feb75f79397646e6656e95688a0e@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/dvm')
-rw-r--r-- | drivers/net/wireless/intel/iwlwifi/dvm/rx.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c index d06278558b33..ecbf8d3cddae 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c +++ b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c @@ -794,6 +794,12 @@ static void iwlagn_rx_reply_rx(struct iwl_priv *priv, IWL_ERR(priv, "MPDU frame without cached PHY data\n"); return; } + + if (unlikely(pkt_len < sizeof(*amsdu))) { + IWL_DEBUG_DROP(priv, "Bad REPLY_RX_MPDU_CMD size\n"); + return; + } + phy_res = &priv->last_phy_res; amsdu = (struct iwl_rx_mpdu_res_start *)pkt->data; header = (struct ieee80211_hdr *)(pkt->data + sizeof(*amsdu)); |