Skip to content

Commit

Permalink
brcmfmac: Add check for short event packets
Browse files Browse the repository at this point in the history 
The length of the data in the received skb is currently passed into
brcmf_fweh_process_event() as packet_len, but this value is not checked.
event_packet should be followed by DATALEN bytes of additional event
data.  Ensure that the received packet actually contains at least
DATALEN bytes of additional data, to avoid copying uninitialized memory
into event->data.

Cc: <stable@vger.kernel.org> # v3.8
Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  • Loading branch information
Kevin Cernekee authored and Kalle Valo committed Oct 2, 2017
1 parent b8b8b16 commit dd23491
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
if (code != BRCMF_E_IF && !fweh->evt_handler[code])
return;

if (datalen > BRCMF_DCMD_MAXLEN)
if (datalen > BRCMF_DCMD_MAXLEN ||
datalen + sizeof(*event_packet) > packet_len)
return;

if (in_interrupt())
Expand Down

0 comments on commit dd23491

Please sign in to comment.