From patchwork Sun Jan 17 14:52:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luca Coelho X-Patchwork-Id: 365367 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D148C433E0 for ; Sun, 17 Jan 2021 14:53:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5C81A21D81 for ; Sun, 17 Jan 2021 14:53:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729218AbhAQOxm (ORCPT ); Sun, 17 Jan 2021 09:53:42 -0500 Received: from paleale.coelho.fi ([176.9.41.70]:40766 "EHLO farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729076AbhAQOxa (ORCPT ); Sun, 17 Jan 2021 09:53:30 -0500 Received: from 91-156-6-193.elisa-laajakaista.fi ([91.156.6.193] helo=redipa.ger.corp.intel.com) by farmhouse.coelho.fi with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1l19Q2-003sgA-9I; Sun, 17 Jan 2021 16:52:42 +0200 From: Luca Coelho To: kvalo@codeaurora.org Cc: linux-wireless@vger.kernel.org Date: Sun, 17 Jan 2021 16:52:33 +0200 Message-Id: X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210117145234.1435324-1-luca@coelho.fi> References: <20210117145234.1435324-1-luca@coelho.fi> MIME-Version: 1.0 Subject: [PATCH 8/9] iwlwifi: mvm: debugfs: check length precisely in inject_packet Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg When we check the length, we only check that the advertised data length fits into the data we have, but currently not that it actually matches correctly. This should be harmless, but if the first two bytes are zero, then the iwl_rx_packet_payload_len() ends up negative, and that might later cause issues if unsigned variables are used, as this is not something that's normally expected. Change the validation here to precisely validate the lengths match, to avoid such issues. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho --- drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c index 231c3489cc31..3834d7197e11 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c @@ -1169,9 +1169,9 @@ static ssize_t iwl_dbgfs_inject_packet_write(struct iwl_mvm *mvm, if (ret) goto out; - /* avoid invalid memory access */ + /* avoid invalid memory access and malformed packet */ if (bin_len < sizeof(*pkt) || - bin_len < sizeof(*pkt) + iwl_rx_packet_payload_len(pkt)) + bin_len != sizeof(*pkt) + iwl_rx_packet_payload_len(pkt)) goto out; local_bh_disable();