libertas_tf: prevent underflow in process_cmdrequest()

If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up corrupting memory. Fixes: c305a19a ("libertas_tf: usb specific functions") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

libertas_tf: prevent underflow in process_cmdrequest()
If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up corrupting memory. Fixes: c305a19a ("libertas_tf: usb specific functions") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
3348ef6a · Dan Carpenter · Kalle Valo · 62a25dc5 · 3348ef6a
Commit 3348ef6a authored Aug 14, 2018 by Dan Carpenter Committed by Kalle Valo Aug 31, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

drivers/net/wireless/marvell/libertas_tf/if_usb.c drivers/net/wireless/marvell/libertas_tf/if_usb.c +3 -2

No files found.
--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
@@ -605,9 +605,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff,
 {
 	unsigned long flags;

-	if (recvlength > LBS_CMD_BUFFER_SIZE) {
+	if (recvlength < MESSAGE_HEADER_LEN ||
+	    recvlength > LBS_CMD_BUFFER_SIZE) {
 		lbtf_deb_usbd(&cardp->udev->dev,
-			     "The receive buffer is too large\n");
+			     "The receive buffer is invalid: %d\n", recvlength);
 		kfree_skb(skb);
 		return;
 	}