From: Luca Coelho <luca@coelho.fi>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH v2 44/47] iwlwifi: mvm: add size checks for range response notification
Date: Wed, 9 Dec 2020 23:16:48 +0200 [thread overview]
Message-ID: <iwlwifi.20201209231352.ee57c3214d05.I810d7de33fb08001ef1a2e24714d5b68932e088e@changeid> (raw)
In-Reply-To: <20201209211651.968276-1-luca@coelho.fi>
From: Avraham Stern <avraham.stern@intel.com>
The range response notification has several versions. Check the
notification size according to the expected notification version.
Notifications with incorrect size will be ignored.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
.../intel/iwlwifi/mvm/ftm-initiator.c | 44 +++++++++++++++++--
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
index d121f682f875..a4fd0bf9ba19 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
@@ -977,9 +977,44 @@ iwl_mvm_ftm_pasn_update_pn(struct iwl_mvm *mvm,
}
}
+static u8 iwl_mvm_ftm_get_range_resp_ver(struct iwl_mvm *mvm)
+{
+ if (!fw_has_api(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_API_FTM_NEW_RANGE_REQ))
+ return 5;
+
+ /* Starting from version 8, the FW advertises the version */
+ if (mvm->cmd_ver.range_resp >= 8)
+ return mvm->cmd_ver.range_resp;
+ else if (fw_has_api(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_API_FTM_RTT_ACCURACY))
+ return 7;
+
+ /* The first version of the new range request API */
+ return 6;
+}
+
+static bool iwl_mvm_ftm_resp_size_validation(u8 ver, unsigned int pkt_len)
+{
+ switch (ver) {
+ case 8:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v8);
+ case 7:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v7);
+ case 6:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v6);
+ case 5:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v5);
+ default:
+ WARN_ONCE(1, "FTM: unsupported range response version %u", ver);
+ return false;
+ }
+}
+
void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
{
struct iwl_rx_packet *pkt = rxb_addr(rxb);
+ unsigned int pkt_len = iwl_rx_packet_payload_len(pkt);
struct iwl_tof_range_rsp_ntfy_v5 *fw_resp_v5 = (void *)pkt->data;
struct iwl_tof_range_rsp_ntfy_v6 *fw_resp_v6 = (void *)pkt->data;
struct iwl_tof_range_rsp_ntfy_v7 *fw_resp_v7 = (void *)pkt->data;
@@ -988,6 +1023,7 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
bool new_api = fw_has_api(&mvm->fw->ucode_capa,
IWL_UCODE_TLV_API_FTM_NEW_RANGE_REQ);
u8 num_of_aps, last_in_batch;
+ u8 notif_ver = iwl_mvm_ftm_get_range_resp_ver(mvm);
lockdep_assert_held(&mvm->mutex);
@@ -995,6 +1031,9 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
return;
}
+ if (unlikely(!iwl_mvm_ftm_resp_size_validation(notif_ver, pkt_len)))
+ return;
+
if (new_api) {
if (iwl_mvm_ftm_range_resp_valid(mvm, fw_resp_v8->request_id,
fw_resp_v8->num_of_aps))
@@ -1021,11 +1060,10 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
int peer_idx;
if (new_api) {
- if (mvm->cmd_ver.range_resp == 8) {
+ if (notif_ver == 8) {
fw_ap = &fw_resp_v8->ap[i];
iwl_mvm_ftm_pasn_update_pn(mvm, fw_ap);
- } else if (fw_has_api(&mvm->fw->ucode_capa,
- IWL_UCODE_TLV_API_FTM_RTT_ACCURACY)) {
+ } else if (notif_ver == 7) {
fw_ap = (void *)&fw_resp_v7->ap[i];
} else {
fw_ap = (void *)&fw_resp_v6->ap[i];
--
2.29.2
next prev parent reply other threads:[~2020-12-09 21:18 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 21:16 [PATCH v2 00/47] iwlwifi: final patches for v5.11 2020-12-09 Luca Coelho
2020-12-09 21:16 ` [PATCH v2 01/47] iwlwifi: remove all queue resources before free Luca Coelho
2020-12-09 22:11 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 02/47] iwlwifi: yoyo: add the ability to dump phy periphery Luca Coelho
2020-12-09 21:16 ` [PATCH v2 03/47] iwlwifi: yoyo: align the write pointer to DWs Luca Coelho
2020-12-09 21:16 ` [PATCH v2 04/47] iwlwifi: mvm: fix sar profile printing issue Luca Coelho
2020-12-09 21:16 ` [PATCH v2 05/47] iwlwifi: move reclaim flows to the queue file Luca Coelho
2020-12-09 21:16 ` [PATCH v2 06/47] iwlwifi: d3: do not send the WOWLAN_CONFIGURATION command for netdetect Luca Coelho
2020-12-09 21:16 ` [PATCH v2 07/47] iwlwifi: update MAINTAINERS entry Luca Coelho
2020-12-09 21:16 ` [PATCH v2 08/47] iwlwifi: mvm: Init error table memory to zero Luca Coelho
2020-12-09 21:16 ` [PATCH v2 09/47] iwlwifi: mvm: remove the read_nvm from iwl_run_init_mvm_ucode Luca Coelho
2020-12-09 21:16 ` [PATCH v2 10/47] iwlwifi: pcie: remove obsolete pre-release support code Luca Coelho
2020-12-09 21:16 ` [PATCH v2 11/47] iwlwifi: copy iwl_he_capa for modifications Luca Coelho
2020-12-09 21:16 ` [PATCH v2 12/47] iwlwifi: mvm: add support for 6GHz Luca Coelho
2020-12-09 22:06 ` [PATCH v3 34/47] " Luca Coelho
2020-12-09 22:12 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 13/47] iwlwifi: enable sending/setting debug host event Luca Coelho
2020-12-09 22:15 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 14/47] iwlwifi: avoid endless HW errors at assert time Luca Coelho
2020-12-09 21:16 ` [PATCH v2 15/47] iwlwifi: mvm: remove the read_nvm from iwl_run_unified_mvm_ucode Luca Coelho
2020-12-09 21:16 ` [PATCH v2 16/47] iwlwifi: follow the new inclusive terminology Luca Coelho
2020-12-09 21:16 ` [PATCH v2 17/47] iwlwifi: fix typo in comment Luca Coelho
2020-12-09 21:16 ` [PATCH v2 18/47] iwlwifi: sort out the NVM offsets Luca Coelho
2020-12-09 21:16 ` [PATCH v2 19/47] iwlwifi: mvm: iterate active stations when updating statistics Luca Coelho
2020-12-09 21:16 ` [PATCH v2 20/47] iwlwifi: validate MPDU length against notification length Luca Coelho
2020-12-09 21:16 ` [PATCH v2 21/47] iwlwifi: pcie: validate RX descriptor length Luca Coelho
2020-12-09 21:16 ` [PATCH v2 22/47] iwlwifi: remove sw_csum_tx Luca Coelho
2020-12-09 21:16 ` [PATCH v2 23/47] iwlwifi: mvm: clear up iwl_mvm_notify_rx_queue() argument type Luca Coelho
2020-12-09 21:16 ` [PATCH v2 24/47] iwlwifi: mvm: move iwl_mvm_stop_device() out of line Luca Coelho
2020-12-09 21:16 ` [PATCH v2 25/47] iwlwifi: pcie: change 12k A-MSDU config to use 16k buffers Luca Coelho
2020-12-09 21:16 ` [PATCH v2 26/47] iwlwifi: mvm: fix 22000 series driver NMI Luca Coelho
2020-12-09 21:16 ` [PATCH v2 27/47] iwlwifi: mvm: do more useful queue sync accounting Luca Coelho
2020-12-09 21:16 ` [PATCH v2 28/47] iwlwifi: mvm: clean up scan state on failure Luca Coelho
2020-12-09 21:16 ` [PATCH v2 29/47] iwlwifi: pcie: remove MSIX_HW_INT_CAUSES_REG_IML handling Luca Coelho
2020-12-09 21:16 ` [PATCH v2 30/47] iwlwifi: fw: file: fix documentation for SAR flag Luca Coelho
2020-12-09 21:16 ` [PATCH v2 31/47] iwlwifi: pcie: remove unnecessary setting of inta_mask Luca Coelho
2020-12-09 21:16 ` [PATCH v2 32/47] iwlwifi: trans: consider firmware dead after errors Luca Coelho
2020-12-09 21:16 ` [PATCH v2 33/47] iwlwifi: dbg-tlv: fix old length in is_trig_data_contained() Luca Coelho
2020-12-09 21:16 ` [PATCH v2 34/47] iwlwifi: use SPDX tags Luca Coelho
2020-12-09 22:06 ` [PATCH v3 " Luca Coelho
2020-12-09 22:15 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 35/47] iwlwifi: pcie: clean up some rx code Luca Coelho
2020-12-09 22:16 ` Luca Coelho
2020-12-09 21:16 ` [PATCH v2 36/47] iwlwifi: mvm: validate firmware sync response size Luca Coelho
2020-12-09 21:16 ` [PATCH v2 37/47] iwlwifi: mvm: fix a race in CSA that caused assert 0x3420 Luca Coelho
2020-12-09 21:16 ` [PATCH v2 38/47] iwlwifi: add an extra firmware state in the transport Luca Coelho
2020-12-09 21:16 ` [PATCH v2 39/47] iwlwifi: support firmware reset handshake Luca Coelho
2020-12-09 21:16 ` [PATCH v2 40/47] iwlwifi: mvm: disconnect if channel switch delay is too long Luca Coelho
2020-12-09 21:16 ` [PATCH v2 41/47] iwlwifi: Add a new card for MA family Luca Coelho
2020-12-09 21:16 ` [PATCH v2 42/47] iwlwifi: tighten RX MPDU bounds checks Luca Coelho
2020-12-09 21:16 ` [PATCH v2 43/47] iwlwifi: mvm: hook up missing RX handlers Luca Coelho
2020-12-09 21:16 ` Luca Coelho [this message]
2020-12-09 21:16 ` [PATCH v2 45/47] iwlwifi: mvm: check that statistics TLV version match struct version Luca Coelho
2020-12-09 21:16 ` [PATCH v2 46/47] iwlwifi: mvm: purge the BSS table upon firmware load Luca Coelho
2020-12-09 21:16 ` [PATCH v2 47/47] iwlwifi: mvm: validate notification size when waiting Luca Coelho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=iwlwifi.20201209231352.ee57c3214d05.I810d7de33fb08001ef1a2e24714d5b68932e088e@changeid \
--to=luca@coelho.fi \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).