ath10k: add missing sanity check on diag download

ath10k_hw_diag_fast_download() generally has good boundary checking, but it misses verifying that the next metadata header actually fits in the remaining buffer space. Add such a check. Fixes: 39501ea ("ath10k: download firmware via diag Copy Engine for QCA6174 and QCA9377.") Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
mariux64 · Oct 2, 2018 · e720ba1 · e720ba1
1 parent 4fb5837
commit e720ba1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c
@@ -1044,6 +1044,12 @@ int ath10k_hw_diag_fast_download(struct ath10k *ar,
 	left = length - sizeof(*hdr);
 
 	while (left > 0) {
+		if (left < sizeof(*metadata)) {
+			ath10k_warn(ar, "firmware segment is truncated: %d\n",
+				    left);
+			ret = -EINVAL;
+			break;
+		}
 		base_addr = __le32_to_cpu(metadata->addr);
 		base_len = __le32_to_cpu(metadata->length);
 		buf = metadata->data;