xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Garpu 0
Kode Masalah Tarik Permintaan Actions Packages Projects Rilis Wiki Kegiatan

wil6210: fix length check in __wmi_send

Telusuri Sumber 
The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
This commit is contained in:
Lior David
2017-11-14 15:25:37 +02:00
committed by Kalle Valo
orang tua 144a12a6d8
melakukan 26a6d52748
2 mengubah file dengan 22 tambahan dan 2 penghapusan
Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/net/wireless/ath/wil6210/wmi.c
Melihat File

@@ -448,7 +448,7 @@ static int __wmi_send(struct wil6210_priv *wil, u16 cmdid, void *buf, u16 len)
uint retry;
int rc = 0;
if (sizeof(cmd) + len > r->entry_size) {
if (len > r->entry_size - sizeof(cmd)) {
wil_err(wil, "WMI size too large: %d bytes, max is %d\n",
(int)(sizeof(cmd) + len), r->entry_size);
return -ERANGE;