From: Luca Coelho <luca@coelho.fi>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH 08/11] iwlwifi: mvm: add size checks for range response notification
Date: Wed, 9 Dec 2020 17:05:11 +0200 [thread overview]
Message-ID: <iwlwifi.20201209170243.152dd7050b84.I810d7de33fb08001ef1a2e24714d5b68932e088e@changeid> (raw)
In-Reply-To: <20201209150514.944056-1-luca@coelho.fi>
From: Avraham Stern <avraham.stern@intel.com>
The range response notification has several versions. Check the
notification size according to the expected notification version.
Notifications with incorrect size will be ignored.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
.../intel/iwlwifi/mvm/ftm-initiator.c | 44 +++++++++++++++++--
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
index d121f682f875..a4fd0bf9ba19 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
@@ -977,9 +977,44 @@ iwl_mvm_ftm_pasn_update_pn(struct iwl_mvm *mvm,
}
}
+static u8 iwl_mvm_ftm_get_range_resp_ver(struct iwl_mvm *mvm)
+{
+ if (!fw_has_api(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_API_FTM_NEW_RANGE_REQ))
+ return 5;
+
+ /* Starting from version 8, the FW advertises the version */
+ if (mvm->cmd_ver.range_resp >= 8)
+ return mvm->cmd_ver.range_resp;
+ else if (fw_has_api(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_API_FTM_RTT_ACCURACY))
+ return 7;
+
+ /* The first version of the new range request API */
+ return 6;
+}
+
+static bool iwl_mvm_ftm_resp_size_validation(u8 ver, unsigned int pkt_len)
+{
+ switch (ver) {
+ case 8:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v8);
+ case 7:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v7);
+ case 6:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v6);
+ case 5:
+ return pkt_len == sizeof(struct iwl_tof_range_rsp_ntfy_v5);
+ default:
+ WARN_ONCE(1, "FTM: unsupported range response version %u", ver);
+ return false;
+ }
+}
+
void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
{
struct iwl_rx_packet *pkt = rxb_addr(rxb);
+ unsigned int pkt_len = iwl_rx_packet_payload_len(pkt);
struct iwl_tof_range_rsp_ntfy_v5 *fw_resp_v5 = (void *)pkt->data;
struct iwl_tof_range_rsp_ntfy_v6 *fw_resp_v6 = (void *)pkt->data;
struct iwl_tof_range_rsp_ntfy_v7 *fw_resp_v7 = (void *)pkt->data;
@@ -988,6 +1023,7 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
bool new_api = fw_has_api(&mvm->fw->ucode_capa,
IWL_UCODE_TLV_API_FTM_NEW_RANGE_REQ);
u8 num_of_aps, last_in_batch;
+ u8 notif_ver = iwl_mvm_ftm_get_range_resp_ver(mvm);
lockdep_assert_held(&mvm->mutex);
@@ -995,6 +1031,9 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
return;
}
+ if (unlikely(!iwl_mvm_ftm_resp_size_validation(notif_ver, pkt_len)))
+ return;
+
if (new_api) {
if (iwl_mvm_ftm_range_resp_valid(mvm, fw_resp_v8->request_id,
fw_resp_v8->num_of_aps))
@@ -1021,11 +1060,10 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
int peer_idx;
if (new_api) {
- if (mvm->cmd_ver.range_resp == 8) {
+ if (notif_ver == 8) {
fw_ap = &fw_resp_v8->ap[i];
iwl_mvm_ftm_pasn_update_pn(mvm, fw_ap);
- } else if (fw_has_api(&mvm->fw->ucode_capa,
- IWL_UCODE_TLV_API_FTM_RTT_ACCURACY)) {
+ } else if (notif_ver == 7) {
fw_ap = (void *)&fw_resp_v7->ap[i];
} else {
fw_ap = (void *)&fw_resp_v6->ap[i];
--
2.29.2
next prev parent reply other threads:[~2020-12-09 15:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-09 15:05 [PATCH 00/11] iwlwifi: updates intended for v5.11 2020-12-09 Luca Coelho
2020-12-09 15:05 ` [PATCH 01/11] iwlwifi: mvm: fix a race in CSA that caused assert 0x3420 Luca Coelho
2020-12-09 15:05 ` [PATCH 02/11] iwlwifi: add an extra firmware state in the transport Luca Coelho
2020-12-09 15:05 ` [PATCH 03/11] iwlwifi: support firmware reset handshake Luca Coelho
2020-12-09 15:05 ` [PATCH 04/11] iwlwifi: mvm: disconnect if channel switch delay is too long Luca Coelho
2020-12-09 15:05 ` [PATCH 05/11] iwlwifi: Add a new card for MA family Luca Coelho
2020-12-09 15:05 ` [PATCH 06/11] iwlwifi: tighten RX MPDU bounds checks Luca Coelho
2020-12-09 15:05 ` [PATCH 07/11] iwlwifi: mvm: hook up missing RX handlers Luca Coelho
2020-12-09 15:05 ` Luca Coelho [this message]
2020-12-09 15:05 ` [PATCH 09/11] iwlwifi: mvm: check that statistics TLV version match struct version Luca Coelho
2020-12-09 15:05 ` [PATCH 10/11] iwlwifi: mvm: purge the BSS table upon firmware load Luca Coelho
2020-12-09 15:05 ` [PATCH 11/11] iwlwifi: mvm: validate notification size when waiting Luca Coelho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=iwlwifi.20201209170243.152dd7050b84.I810d7de33fb08001ef1a2e24714d5b68932e088e@changeid \
--to=luca@coelho.fi \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.