brcmfmac: To fix kernel crash on out of boundary access

To truncate the additional bytes, if extra bytes have been received. Current code only have a warning and proceed without handling it. But in one of the crash reported by DVT, these causes the crash intermittently. So the processing is limit to the skb->len. Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com> Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com> Signed-off-by: Wright Feng <wright.feng@cypress.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200604071835.3842-2-wright.feng@cypress.com

brcmfmac: To fix kernel crash on out of boundary access
To truncate the additional bytes, if extra bytes have been received. Current code only have a warning and proceed without handling it. But in one of the crash reported by DVT, these causes the crash intermittently. So the processing is limit to the skb->len. Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com> Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com> Signed-off-by: Wright Feng <wright.feng@cypress.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200604071835.3842-2-wright.feng@cypress.com
698bae2e · Raveendran Somu · Kalle Valo · f555abfe · 698bae2e
Commit 698bae2e authored Jun 04, 2020 by Raveendran Somu Committed by Kalle Valo Jul 14, 2020
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +3 -0

No files found.
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
@@ -1843,6 +1843,9 @@ void brcmf_fws_hdrpull(struct brcmf_if *ifp, s16 siglen, struct sk_buff *skb)

 	WARN_ON(siglen > skb->len);

+	if (siglen > skb->len)
+		siglen = skb->len;
+
 	if (!siglen)
 		return;
 	/* if flow control disabled, skip to packet data and leave */