Commit e270045b authored by Vladimir Kondratiev's avatar Vladimir Kondratiev Committed by John W. Linville

wil6210: Sanity check for reported DMA length

If Rx descriptor contains garbage, it is possible to access memory beyond
allocated buffer.

Check this condition and drop Rx if reported length is
unreasonable large
Signed-off-by: default avatarVladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 7e594444
...@@ -349,7 +349,13 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil, ...@@ -349,7 +349,13 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
d1 = wil_skb_rxdesc(skb); d1 = wil_skb_rxdesc(skb);
*d1 = *d; *d1 = *d;
wil_vring_advance_head(vring, 1);
dmalen = le16_to_cpu(d1->dma.length); dmalen = le16_to_cpu(d1->dma.length);
if (dmalen > sz) {
wil_err(wil, "Rx size too large: %d bytes!\n", dmalen);
kfree(skb);
return NULL;
}
skb_trim(skb, dmalen); skb_trim(skb, dmalen);
wil->stats.last_mcs_rx = wil_rxdesc_mcs(d1); wil->stats.last_mcs_rx = wil_rxdesc_mcs(d1);
...@@ -362,8 +368,6 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil, ...@@ -362,8 +368,6 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
wil_hex_dump_txrx("Rx ", DUMP_PREFIX_NONE, 32, 4, wil_hex_dump_txrx("Rx ", DUMP_PREFIX_NONE, 32, 4,
(const void *)d, sizeof(*d), false); (const void *)d, sizeof(*d), false);
wil_vring_advance_head(vring, 1);
/* no extra checks if in sniffer mode */ /* no extra checks if in sniffer mode */
if (ndev->type != ARPHRD_ETHER) if (ndev->type != ARPHRD_ETHER)
return skb; return skb;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment