brcmfmac: Add check for short event packets

The length of the data in the received skb is currently passed into brcmf_fweh_process_event() as packet_len, but this value is not checked. event_packet should be followed by DATALEN bytes of additional event data. Ensure that the received packet actually contains at least DATALEN bytes of additional data, to avoid copying uninitialized memory into event->data. Cc: <stable@vger.kernel.org> # v3.8 Suggested-by: Mattias Nissler <mnissler@chromium.org> Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

brcmfmac: Add check for short event packets
The length of the data in the received skb is currently passed into brcmf_fweh_process_event() as packet_len, but this value is not checked. event_packet should be followed by DATALEN bytes of additional event data. Ensure that the received packet actually contains at least DATALEN bytes of additional data, to avoid copying uninitialized memory into event->data. Cc: <stable@vger.kernel.org> # v3.8 Suggested-by: Mattias Nissler <mnissler@chromium.org> Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
dd234912 · Kevin Cernekee · Kalle Valo · b8b8b163 · dd234912
Commit dd234912 authored Sep 16, 2017 by Kevin Cernekee Committed by Kalle Valo Oct 02, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +2 -1

No files found.
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
 	if (code != BRCMF_E_IF && !fweh->evt_handler[code])
 		return;

-	if (datalen > BRCMF_DCMD_MAXLEN)
+	if (datalen > BRCMF_DCMD_MAXLEN ||
+	    datalen + sizeof(*event_packet) > packet_len)
 		return;

 	if (in_interrupt())